Add edit-secrets script to bridge.o.o

This adds a script that will wrap emacs with gpg-agent when editing the secrets file. This avoids issues with rogue gpg-agents running on the system. Change-Id: Ic3cc73b5c25eab2ede41d8ca05b5695b817973d9
2019-02-27 08:43:45 -08:00 · 2019-02-27 08:43:45 -08:00 · 3ec0861e6b
parent 2f542dd518
commit 3ec0861e6b
4 changed files with 11 additions and 0 deletions
--- a/playbooks/bridge.yaml
+++ b/playbooks/bridge.yaml
@ -23,6 +23,7 @@
    - root-keys
    - ansible-cron
    - cloud-launcher-cron
+    - edit-secrets-script
  tasks:
    - name: Allow Zuul to trigger Ansible
      authorized_key:
--- a/playbooks/roles/edit-secrets-script/README.rst
+++ b/playbooks/roles/edit-secrets-script/README.rst
@ -0,0 +1,3 @@
+This role installs a script called `edit-secrets` to /usr/local/bin
+that allows you to safely edit the secrets file without needing to
+manage gpg-agent yourself.
--- a/playbooks/roles/edit-secrets-script/files/edit-secrets
+++ b/playbooks/roles/edit-secrets-script/files/edit-secrets
@ -0,0 +1,2 @@
+#!/bin/sh
+gpg-agent --daemon emacs /root/passwords/passwords.gpg
--- a/playbooks/roles/edit-secrets-script/tasks/main.yaml
+++ b/playbooks/roles/edit-secrets-script/tasks/main.yaml
@ -0,0 +1,5 @@
+- name: Copy edit-secrets script
+  copy:
+    mode: 0750
+    src: edit-secrets
+    dest: /usr/local/bin/edit-secrets