diff --git a/.gitignore b/.gitignore index 201651b..830a3b3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .ansible-vaultpass .venv/* +.git-crypt-backup/ diff --git a/CLAUDE.md b/CLAUDE.md index 523a170..13df40f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -17,6 +17,8 @@ This is a home infrastructure deployment repository using Ansible for automated - `make vault` - Edit encrypted Ansible vault file - `make list-tags` - List all available Ansible tags - `make list-tasks` - List all Ansible tasks +- `make git-crypt-backup` - Backup git-crypt symmetric key (encrypted with GPG) +- `make git-crypt-restore` - Restore git-crypt symmetric key from backup ### Environment Setup The project uses Python virtualenv for dependency management: @@ -54,6 +56,9 @@ Containers are organized in `ansible/roles/podman/tasks/containers/`: - Ansible vault for encrypted secrets management - Password sourced from external password manager - Git-crypt for repository-level encryption (see `.gitattributes`) + - Symmetric key can be backed up locally in `.git-crypt-backup/` (encrypted with GPG) + - Use `make git-crypt-backup` to create a local encrypted backup + - Use `make git-crypt-restore` to recover from git-crypt corruption - SSH key-based authentication to target hosts - Caddy provides automatic HTTPS with LetsEncrypt certificates - Built-in security headers and IP-based access restrictions diff --git a/Makefile b/Makefile index d91586f..8d6598d 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,7 @@ EXTRA_VARS?= ${VENV}: python3 -m venv ${VENV} + ${VENV_BIN}/python3 -m pip install --upgrade pip ${PIP}: ${VENV} ${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML}: ${VENV} requirements.txt @@ -69,3 +70,17 @@ vault: ${ANSIBLE_VAULT} ${VAULT_FILE} lint: ${LINT_YAML} ${SKIP_FILE} @printf "Running yamllint...\n" -@${LINT_YAML} ${YAML_FILES} + +# Git-crypt management +git-crypt-backup: + @printf "Backing up git-crypt symmetric key...\n" + @mkdir -p .git-crypt-backup + @gpg --batch --yes -e -r 70A4AA02555DBD559189B4E0F32BE05EADAA54FC -o .git-crypt-backup/symmetric-key.gpg .git/git-crypt/keys/default + @printf "Backup created at .git-crypt-backup/symmetric-key.gpg\n" + +git-crypt-restore: + @printf "Restoring git-crypt symmetric key from backup...\n" + @mkdir -p .git/git-crypt/keys + @gpg --batch --yes -d .git-crypt-backup/symmetric-key.gpg > .git/git-crypt/keys/default + @chmod 600 .git/git-crypt/keys/default + @printf "Key restored. Run 'git-crypt unlock' or just checkout files.\n" diff --git a/ansible/roles/podman/tasks/containers/skudak/cloud.yml b/ansible/roles/podman/tasks/containers/skudak/cloud.yml index 14be5bc..75f1f64 100644 --- a/ansible/roles/podman/tasks/containers/skudak/cloud.yml +++ b/ansible/roles/podman/tasks/containers/skudak/cloud.yml @@ -98,3 +98,13 @@ include_tasks: podman/systemd-generate.yml vars: container_name: skudak-cloud + +- name: disable nextcloud signup link in config + become: true + ansible.builtin.lineinfile: + path: "{{ cloud_skudak_path }}/config/config.php" + regexp: "^\\s*'simpleSignUpLink\\.shown'\\s*=>" + line: " 'simpleSignUpLink.shown' => false," + insertbefore: '^\);' + create: false + failed_when: false diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index c50cefc..caa3ad1 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -62,13 +62,13 @@ - import_tasks: containers/home/cloud.yml vars: db_image: docker.io/library/mariadb:10.6 - image: docker.io/library/nextcloud:31.0.6-apache + image: docker.io/library/nextcloud:32.0.1-apache tags: cloud - import_tasks: containers/skudak/cloud.yml vars: db_image: docker.io/library/mariadb:10.6 - image: docker.io/library/nextcloud:31.0.6-apache + image: docker.io/library/nextcloud:32.0.1-apache tags: skudak, skudak-cloud - import_tasks: containers/debyltech/fulfillr.yml diff --git a/requirements.txt b/requirements.txt index 02953e5..c1184f4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible==11.0.0 +ansible==12.2.0 yamllint==1.37.1