ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit e9aa62fedb52276e6dd6b8b6b1794547a189a86e
parent 2690a0ec9ea5edc4e608ee0bfff64d3e3ef4f256
Author: Florian Dold <florian@dold.me>
Date:   Mon, 19 May 2025 19:51:40 +0200

implement encrypt/decrypt helpers

Diffstat:

MREADME | 7++-----


Acontrib/decrypt | 30++++++++++++++++++++++++++++++


Acontrib/encrypt | 21+++++++++++++++++++++


3 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/README b/README
@@ -33,17 +33,14 @@ For TOPS production, replace the "rusty" with "spec" to use the actual secrets
 for the deployment. For this, you first need to decrypt them:
 
 ```
-$ gpg -d inventories/host_vars/spec/prod-secrets.yml.gpg > inventories/host_vars/spec/prod-secrets.yml
+$ ./contrib/decrypt inventories/host_vars/spec/prod-secrets.yml.gpg
 ```
 
 Make sure to NEVER commit the decrypted production secrets to Git.
 Instead, if you had to edit them, re-encrypt them to all admins:
 
 ```
-$ cat inventories/host_vars/spec/prod-secrets.yml | gpg --encrypt \
-    --recipient grothoff@gnunet.org \
-    --recipient devan@taler.net \
-    --recipient me@fdold.eu > inventories/host_vars/spec/prod-secrets.yml.gpg
+$ ./contrib/encrypt inventories/host_vars/spec/prod-secrets.yml
 ```
 
 ### sanction-check.sh
diff --git a/contrib/decrypt b/contrib/decrypt
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Helper script to decrypt a file in
+# the repository.
+# Makes sure that the output file is ignored in git.
+
+set -eu
+
+if [[ -z ${1:-} ]]; then
+  echo "Usage: $0 FILE" >&2
+  exit 1
+fi
+
+case $1 in
+  *.gpg)
+    ;;
+  *)
+    echo "Must be a .gpg file" >&2
+    exit 1
+    ;;
+esac
+
+outfile="${1%.gpg}"
+
+if ! git check-ignore "$outfile" >/dev/null; then
+  echo "Output file must be gitignored" >&2
+  exit 1
+fi
+
+gpg -d "$1" > "$outfile"
diff --git a/contrib/encrypt b/contrib/encrypt
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Helper script to encrypt a file in
+# the repository.
+# Makes sure that the output file is ignored in git.
+
+set -eu
+
+if [[ -z ${1:-} ]]; then
+  echo "Usage: $0 FILE" >&2
+  exit 1
+fi
+
+if ! git check-ignore "$outfile" >/dev/null; then
+  echo "Input file must be gitignored" >&2
+  exit 1
+fi
+
+cat "$1" | gpg --encrypt \
+  --recipient grothoff@gnunet.org \
+  --recipient me@fdold.eu > "$1.gpg"