Fernando K pushed to branch main at Root / DBRoot / PostgreSQL Commits: efc8ac18 by Fernando Monteiro Kiotheka at 2025-08-06T16:17:22-03:00 feat: upgrade to new setup - - - - - 4 changed files: - .gitlab-ci.yml - ansible/ansible.cfg - ansible/main.yml - + get-key-from-bao.sh Changes: ===================================== .gitlab-ci.yml ===================================== @@ -24,24 +24,7 @@ sync: stage: deploy allow_failure: true script: - - | - ssh-keygen -t ed25519 -f key -N '' -q <<<y > /dev/null 2>&1 - UNSIGNED_SSH_KEY=$(cat key.pub) - response=$(curl -X POST -H "X-Vault-Token: $CI_VAULT_TOKEN" -d "{\"public_key\": \"$UNSIGNED_SSH_KEY\"}" $CI_VAULT_ADDR/v1/$CI_VAULT_SIGNER_AUTHORITY_PATH) - if [ $? -eq 0 ]; then - SIGNED_KEY=$(echo $response | jq -r .data.signed_key) - if [ "$SIGNED_KEY" != "null" ]; then - echo $SIGNED_KEY > key-cert.pub - chmod 644 key-cert.pub - else - echo "Failed to retrieve SSH key: SSH key is empty" - exit 1 - fi - else - echo "Failed to retrieve SSH key: Request to Vault failed" - exit 1 - fi - + - bash get-key-from-bao.sh - | cd ansible if ./verify-hostnames.sh ../pg_hba.conf; then ===================================== ansible/ansible.cfg ===================================== @@ -1,7 +1,7 @@ [defaults] inventory = inv.ini forks = 150 -remote_user = ansible +remote_user = root remote_tmp = /tmp host_key_checking = no ===================================== ansible/main.yml ===================================== @@ -5,7 +5,6 @@ # - name : Overwrite files hosts : all - become: yes gather_facts: no tasks: ===================================== get-key-from-bao.sh ===================================== @@ -0,0 +1,11 @@ +#!/bin/sh +response=$(curl --no-progress-meter --request POST \ + --header "X-Vault-Token: $VAULT_TOKEN" --data '{"key_type": "ed25519"}' \ + "$VAULT_ADDR/v1/ssh-client-signer/issue/ansible") \ + || { echo "Failed to retrieve SSH key: Request to Vault failed"; exit 1; } +private_key=$(printf "%s" "$response" | jq --raw-output .data.private_key) +signed_key=$(printf "%s" "$response" | jq --raw-output .data.signed_key) +[ "$signed_key" != "null" ] && [ "$private_key" != "null" ] \ + || { echo "Failed to retrieve SSH key: SSH key is empty"; exit 1; } +printf "%s\n" "$private_key" >key && chmod 600 key +printf "%s\n" "$signed_key" >key-cert.pub && chmod 644 key-cert.pub View it on GitLab: https://gitlab.c3sl.ufpr.br/root/dbroot/postgresql-sync-config/-/commit/efc8... -- View it on GitLab: https://gitlab.c3sl.ufpr.br/root/dbroot/postgresql-sync-config/-/commit/efc8... You're receiving this email because of your account on gitlab.c3sl.ufpr.br.