diff --git a/devSecOps/ansible_decrypt.md b/devSecOps/ansible_decrypt.md new file mode 100644 index 0000000..69627d7 --- /dev/null +++ b/devSecOps/ansible_decrypt.md @@ -0,0 +1,260 @@ +# Ansible Vault SSH Key Management Guide + +## Overview +This document explains how to securely manage SSH private keys using Ansible Vault and the copy module with decryption capabilities, including proper playbook configuration to handle decryption before fact gathering. + +## Important: Playbook Configuration + +### Critical Setup Requirements +```yaml +--- +- name: Deploy with encrypted SSH key + hosts: all + gather_facts: false # ⚠️ ESSENTIAL - prevents early SSH connection attempts + vars: + ssh_private_key_file: key/deploy # Path to your encrypted key file + + tasks: + # Your decryption and deployment tasks here +``` + +### Why `gather_facts: false` is Mandatory + +**Without `gather_facts: false`:** +- Ansible attempts to connect to target hosts immediately +- It tries to use SSH with the default SSH agent configuration +- Fails because the encrypted key isn't decrypted yet +- Playbook stops before reaching your decryption task + +**With `gather_facts: false`:** +- Ansible skips the initial fact gathering phase +- Allows your decryption task to run first +- You control when and how the SSH key is used + +## Step 1: Encrypt SSH Private Key with Ansible Vault + +### Encrypt an existing SSH key: +```bash +# Method 1: Interactive password prompt +ansible-vault encrypt key/deploy --ask-vault-pass + +# Method 2: Using a password file +ansible-vault encrypt key/deploy --vault-password-file vault_pass.txt + +# Method 3: Using vault ID +ansible-vault encrypt key/deploy --vault-id deploy@vault_pass.txt +``` + +### Create a new encrypted SSH key: +```bash +ansible-vault create key/deploy --vault-password-file vault_pass.txt +``` + +### Verify encrypted content: +```bash +ansible-vault view key/deploy --vault-password-file vault_pass.txt +``` + +## Step 2: Complete Ansible Playbook Example + +### Full playbook structure: +```yaml +--- +- name: Deploy using encrypted SSH key + hosts: all + gather_facts: false # CRITICAL: Must be disabled + vars: + ssh_private_key_file: key/deploy + decrypted_key_path: /tmp/ansible_deploy_key + + tasks: + - name: Decrypt SSH private key + copy: + src: "{{ ssh_private_key_file }}" + dest: "{{ decrypted_key_path }}" + decrypt: yes + mode: '0600' + delegate_to: localhost + become: false + run_once: true + + - name: Enable fact gathering with decrypted key + setup: + delegate_to: localhost + become: false + + - name: Use the decrypted key for deployment + ansible.builtin.shell: | + ssh -i "{{ decrypted_key_path }}" \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + deploy@{{ inventory_hostname }} 'deployment_command' + args: + executable: /bin/bash + + - name: Remove decrypted SSH key (cleanup) + file: + path: "{{ decrypted_key_path }}" + state: absent + delegate_to: localhost + become: false + always: yes +``` + +## Step 3: Running the Playbook + +### Execution methods: +```bash +# With password file +ansible-playbook playbook.yml --vault-password-file vault_pass.txt + +# Interactive password prompt +ansible-playbook playbook.yml --ask-vault-pass + +# With vault ID +ansible-playbook playbook.yml --vault-id deploy@vault_pass.txt + +# With inventory file +ansible-playbook -i hosts.ini playbook.yml --vault-password-file vault_pass.txt +``` + +## Step 4: Advanced Error Handling & Security + +### Robust playbook with proper error handling: +```yaml +--- +- name: Secure deployment with encrypted SSH key + hosts: all + gather_facts: false + vars: + ssh_private_key_file: key/deploy + decrypted_key_path: "/tmp/ansible_deploy_key_{{ ansible_date_time.epoch }}" + + tasks: + - name: Ensure encrypted key file exists + stat: + path: "{{ ssh_private_key_file }}" + register: key_file + delegate_to: localhost + become: false + + - name: Fail if encrypted key is missing + fail: + msg: "Encrypted SSH key file {{ ssh_private_key_file }} not found" + when: not key_file.stat.exists + delegate_to: localhost + become: false + + - name: Decrypt SSH private key + copy: + src: "{{ ssh_private_key_file }}" + dest: "{{ decrypted_key_path }}" + decrypt: yes + mode: '0600' + delegate_to: localhost + become: false + run_once: true + + - name: Verify decrypted key permissions + file: + path: "{{ decrypted_key_path }}" + mode: '0600' + delegate_to: localhost + become: false + + - name: Gather facts using decrypted key (if needed) + setup: + delegate_to: localhost + become: false + + - name: Perform deployment tasks + block: + - name: Execute remote deployment + ansible.builtin.shell: | + ssh -i "{{ decrypted_key_path }}" \ + -o ConnectTimeout=30 \ + -o StrictHostKeyChecking=no \ + deploy@{{ inventory_hostname }} 'your_deployment_script' + args: + executable: /bin/bash + register: deployment_result + + - name: Display deployment output + debug: + var: deployment_result.stdout + + rescue: + - name: Handle deployment failure + debug: + msg: "Deployment failed - check SSH connectivity and permissions" + + always: + - name: Always remove decrypted key + file: + path: "{{ decrypted_key_path }}" + state: absent + delegate_to: localhost + become: false +``` + +## Security Best Practices + +### 1. File Security: +```bash +# Secure permissions for password files +chmod 600 vault_pass.txt + +# Secure permissions for encrypted key +chmod 600 key/deploy +``` + +### 2. Temporary File Safety: +- Use unique temporary filenames with timestamps +- Set strict permissions (0600) +- Always clean up, even on failure + +### 3. Key Management: +- Never store unencrypted keys in version control +- Rotate deployment keys regularly +- Use different keys for different environments + +## Troubleshooting + +### Common Issues & Solutions: + +1. **"Permission denied" errors:** + - Verify vault password is correct + - Check encrypted file permissions + - Ensure cleanup tasks run successfully + +2. **SSH connection failures:** + - Verify the decrypted key is authorized on target hosts + - Check network connectivity + - Validate target host accessibility + +3. **Fact gathering issues:** + - Use `gather_facts: false` in main playbook + - Manually call `setup` module after decryption if needed + +### Debug Commands: +```bash +# Test vault decryption +ansible-vault view key/deploy --vault-password-file vault_pass.txt + +# Verify playbook syntax +ansible-playbook playbook.yml --syntax-check + +# Dry run to see what would happen +ansible-playbook playbook.yml --vault-password-file vault_pass.txt --check +``` + +## Summary +The key points for successful encrypted SSH key management: + +1. **Always use `gather_facts: false`** in the main playbook +2. **Decrypt the key early** in your tasks +3. **Use unique temporary paths** for decrypted keys +4. **Always clean up** decrypted keys, even on failures +5. **Secure your vault passwords** with proper file permissions + +This approach ensures your SSH keys remain encrypted at rest and are only temporarily decrypted during execution, maintaining security throughout your deployment process. diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 10-47-11.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 10-47-11.png new file mode 100644 index 0000000..bf2bc55 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 10-47-11.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-32-47.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-32-47.png new file mode 100644 index 0000000..bc7e5c5 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-32-47.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-34-33.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-34-33.png new file mode 100644 index 0000000..e60fbc9 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-34-33.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-35-21.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-35-21.png new file mode 100644 index 0000000..e65754d Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-35-21.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-09.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-09.png new file mode 100644 index 0000000..18f3ead Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-09.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-40.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-40.png new file mode 100644 index 0000000..dc527f6 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-40-40.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-47-23.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-47-23.png new file mode 100644 index 0000000..f28cc4e Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-47-23.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-49-20.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-49-20.png new file mode 100644 index 0000000..c849315 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 11-49-20.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-09-52.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-09-52.png new file mode 100644 index 0000000..5bc566d Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-09-52.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-12-19.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-12-19.png new file mode 100644 index 0000000..6ce9317 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-12-19.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-15-18.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-15-18.png new file mode 100644 index 0000000..5812838 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 12-15-18.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-07-23.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-07-23.png new file mode 100644 index 0000000..6b97a3b Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-07-23.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-08-02.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-08-02.png new file mode 100644 index 0000000..ebf5ac5 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-08-02.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-10-45.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-10-45.png new file mode 100644 index 0000000..7b73efc Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-10-45.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-11-15.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-11-15.png new file mode 100644 index 0000000..1d278a0 Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-11-15.png differ diff --git a/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-13-50.png b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-13-50.png new file mode 100644 index 0000000..741636d Binary files /dev/null and b/gitlab/gitlab_cicd/Capture d’écran du 2023-03-06 15-13-50.png differ diff --git a/gitlab/gitlab_pages.txt b/gitlab/gitlab_pages.txt new file mode 100644 index 0000000..2b555ec --- /dev/null +++ b/gitlab/gitlab_pages.txt @@ -0,0 +1,26 @@ +affectation d'un nom de domaine sur un projet gitlab +========================================================== + +https://docs.framasoft.org/fr/gitlab/gitlab-pages.html#configuration-dns + +settings > Pages + +- ajouter un domaine (celui qu'on veut) exemple : test.pedrolalune.fr + +sur le gitlab de framagit, mon projet est titi +https://gwen71.frama.io/titi/ + +configuration dns chez ovh : + +- faire la redirection (CNAME) + +exemple test.pedrolalune.fr -> gwen71.frama.io. +- TXT : +_gitlab-pages-verification-code.test -> +"_gitlab-pages-verification-code.test.pedrolalune.fr TXT +gitlab-pages-verification-code=2613sdfsdfsfdsdfsdf" + +puis retourner dans les Pages gitlab, +et appuyer sur le bouton de vérification du nom de domaine. + + diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-06 18-37-05.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-06 18-37-05.png new file mode 100644 index 0000000..58018b3 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-06 18-37-05.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 10-31-24.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 10-31-24.png new file mode 100644 index 0000000..44b41cf Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 10-31-24.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-13-19.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-13-19.png new file mode 100644 index 0000000..a1d7dc5 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-13-19.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-14-55.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-14-55.png new file mode 100644 index 0000000..f09fdb3 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-14-55.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-44.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-44.png new file mode 100644 index 0000000..3535a93 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-44.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-58.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-58.png new file mode 100644 index 0000000..1cbe8e4 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-18-58.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-19-08.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-19-08.png new file mode 100644 index 0000000..02dda0f Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-19-08.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-21-46.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-21-46.png new file mode 100644 index 0000000..87889d4 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-21-46.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-22-21.png b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-22-21.png new file mode 100644 index 0000000..1bb36ee Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-03-07 11-22-21.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-35-05.png b/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-35-05.png new file mode 100644 index 0000000..c59f70e Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-35-05.png differ diff --git a/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-49-11.png b/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-49-11.png new file mode 100644 index 0000000..fb5a015 Binary files /dev/null and b/gitlab/gitlab_pages/Capture d’écran du 2023-05-04 13-49-11.png differ