blog
Table des matières
0 billet(s) pour février 2026
Ansible inventory script - inventaire dynamique 2 - CSV
Cahier des charges :
- Inventaire basé sur un fichier CSV
Voir aussi :
- Les options :
Host Filter,Enabled Variable,Enabled Value
Exemple de fichier CSV
inv.csv
hostname;fqdn;env;ip;env;os_system;os_distrib;os_majeur_version srvweb1;srvweb1.acme.local;prod;192.168.1.10;linux;redhat;8 srvweb2;srvweb2.acme.local;dev;192.168.1.11;linux;redhat;8
Script Python d'Inventory Script
inventory_from_csv.py
#!/usr/bin/env python3 """ CSV external inventory script. # Creative Commons CC0 Public Domain Licence """ import sys import csv import argparse import json from ansible.module_utils._text import to_text _GROUP = 'GROUPE1' mapping = {} def parser_args(): parser = argparse.ArgumentParser(description="") parser.add_argument('--list', default=False, dest="list", action="store_true", help="Produce a JSON consumable grouping of servers for Ansible") parser.add_argument('--host', default=None, dest="host", help="Generate additional host specific details for given host for Ansible") return parser def mk_inventory_from_csv(): """ Make inventory from CSV file """ mapping['_meta']={} mapping['_meta']['hostvars']={} mapping[_GROUP]={} mapping[_GROUP]['hosts'] = [] with open('inv.csv', newline='') as csvfile: csvreader = csv.DictReader(csvfile, delimiter=';') for row in csvreader: hostname = to_text(row['hostname'].strip()) mapping['_meta']['hostvars'][hostname]={} mapping['_meta']['hostvars'][hostname]['ansible_host'] = to_text(row['fqdn'].strip()) mapping['_meta']['hostvars'][hostname]['env'] = to_text(row['env'].strip()) mapping[_GROUP]['hosts'].append(hostname) def get_host_details(host): """ Get json hostvars for specified host """ host = mapping['_meta']['hostvars'][host] return json.dumps(host, indent=4) args = parser_args().parse_args() def main(): if args.list: mk_inventory_from_csv() print(json.dumps(mapping, indent=4)) sys.exit(0) elif args.host: mk_inventory_from_csv() print(get_host_details(args.host)) sys.exit(0) else: parser_args.print_help() sys.exit(0) if __name__ == '__main__': main()
On test
chmod +x inventory_from_csv.py ./inventory_from_csv.py --list | jq . ./inventory_from_csv.py --host srvweb1 | jq . ansible-inventory -i inventory_from_csv.py --list ansible-inventory -i inventory_from_csv.py --host srvweb1
Annexes
Script Python sql2csv
sql2csv.py
#! /usr/bin/env python3 """ Make CSV inventory file from SQL query (CMDB) """ import os import pyodbc cfg_csv_path = os.environ["INVENTORY_OPT_CSV_PATH"] cfg_queryname = os.environ["INVENTORY_OPT_QUERYNAME"] db_user = os.environ["MSSQL_LOGIN_USER"] db_pass = os.environ["MSSQL_LOGIN_PASSWORD"] db_name = os.environ["MSSQL_LOGIN_DATABASE"] db_host = os.environ["MSSQL_LOGIN_HOST"] db_port = os.environ["MSSQL_LOGIN_PORT"] def clean_field(field): """ Clean each fields. CSV use ';' as field separator and so all ';' characters must be removed CSV use line break as line separator and so all '\n' and '\r' characters must be replaced """ if field is None or field == "Undefined": ret = "" else: ret = str(field).strip().replace(";", "").replace("\n", ",").replace("\r", ",") return ret with open(f"config/{cfg_queryname}/query.sql", "r") as f: query = f.read().strip() def main(): db = pyodbc.connect( DRIVER="FreeTDS", Server=db_host, Port=db_port, Database=db_name, UID=db_user, PWD=db_pass, ) cursor = db.cursor() result = cursor.execute(query) with open(cfg_csv_path, mode="w") as file_object: headers = [] for row in result.description: headers.append(row[0]) print(";".join(headers), file=file_object) for row in result: print(";".join(list(map(clean_field, row))), file=file_object) main()
GPG - Script - batch - auto encrypt
Voir aussi :
Par défaut GPG utilise le dossier « .gnupg » dans le HOMEDIR de l'utilisateur. Il contient notamment la configuration, le trousseau de clefs, le trust database etc…
Or notre besoin actuel est juste de pouvoir chiffrer un fichier avec une clef publique déterminée. Je propose une approche “stateless” où le trousseau de clefs serait créé avant chaque chiffrement et détruit à la fin.
Par exemple pour chiffrer “secret_plan_to_rule_the_world.txt” avec la clef publique de Bob :
bash gpg-auto-encrypt.sh -k bob.pub.asc -i secret_plan_to_rule_the_world.txt -o encrypted-data.txt.gpg
Le fichier “encrypted-data.txt.gpg” a été généré et peut être envoyé. Seul Bob pourra le déchiffrer.
En cas de changement de clef, il suffit de remplacer le fichier “bob.pub.asc”
Il manque cruellement la vérification de Signature \ Sans signature rien de garantie que le fichier chiffré n’a été altéré volontairement ou pour des causes techniques.\ Sans signature vous pouvez faire confiance sur le fait que seul Bob pourra déchiffré le fichier (à condition d’être certain de la clef de Bob et que Bob ai bien protégé sa clef privée) \ Mais Bob ne peut pas avoir confiance en votre fichier.
gpg-auto-encrypt.sh
#! /bin/bash set -euo pipefail export LC_ALL=C SCRIPT_NAME="$(basename "$0")" install -d "${HOME}/tmp/" GNUPGHOME="$(mktemp -d -p "${HOME}/tmp/" --suffix=_"${SCRIPT_NAME%%.*}")" trap 'rm -rf "$GNUPGHOME"' EXIT gpg_import() { PUBKEY_ID=$(gpg --batch --import "${PUBKEY_FILE}" 2>&1 | awk '/^gpg: key / {gsub(":", "") ; print $3 ;}') } gpg_encrypt() { gpg --batch --trust-model always --output "$OUTPUT_FILE" -r "${PUBKEY_ID}" --encrypt "$DATA_FILE" } main() { gpg_import gpg_encrypt } usage() { cat <<-EOF Usage: $0 -k KEY_FILE -i INPUT_FILE -o OUTPUT_FILE Mandatory arguments: -k FILE Public key file. -i FILE File to encrypt. -o FILE Encrypted file to write. Example : $0 -k bob.pub.asc -i secret_plan_to_rule_the_world.txt -o encrypted-data.txt.gpg EOF } ARGS_COUNT="$#" while [ "${1-}" != "" ]; do case $1 in -k) shift PUBKEY_FILE=$1 ;; -i) shift DATA_FILE=$1 ;; -o) shift OUTPUT_FILE=$1 ;; -h | --help) usage exit 0 ;; --) # End of all options shift break ;; -*) echo "SCRIPT_NAME: invalid option" >&2 echo "Try '$SCRIPT_NAME --help' for more information." >&2 exit 1 ;; *) usage ;; esac shift done if [ "$ARGS_COUNT" -lt 6 ]; then usage exit 1 fi main
GPG - Renouvellement de clefs
Revoke
Revoquer ca clef https://www.gnupg.org/gph/en/manual/c235.html
gpg --gen-revoke 50D12DE07663C664 --output ~/revocation.crt chmod 600 ~/revocation.crt
gpg --import ~/.gnupg/email@domain.tld.rev.asc gpg --export -a your_keyid >mykey.asc gpg --keyserver subkeys.pgp.net --send 50D12DE07663C664 gpg --keyserver pgp.mit.edu --send-keys mykey
revkey revsig save
gpg --import ~/.gnupg/email@domain.tld.public_key.asc ~/.gnupg/email@domain.tld.private_key.asc gpg --edit-key email@domain.tld
Expired
Que faire quand la clef a expirée
https://makandracards.com/makandra-orga/13644-what-to-do-when-your-gpg-pgp-key-expires
gpg --edit-key 0x12345678 gpg> expire ... gpg> save
gpg --edit-key 0x12345678 gpg> key 1 gpg> expire ... gpg> key 1 gpg> key 2 gpg> expire ... gpg> save
Renew primary key
GPG - recovering lost gpg public keys from your yubikey
Source : https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/
$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000BD62) 00 00
Application ID ...: D27600012401030400050000BD620000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: ZeitControl
Serial number ....: 0000BD62
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: brainpoolP512r1 brainpoolP512r1 brainpoolP512r1
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: 5A79 88CB 3667 6795 A817 0DB7 CBBD AA0F 4B7C 7DD7
created ....: 2023-02-26 14:04:38
Encryption key....: 8695 C0E7 6ABC 2FFF F7CC 7D71 F8CE 04C4 D381 8C66
created ....: 2023-02-26 14:07:32
Authentication key: 1D9D 57AF C804 3C8E 1AA8 82ED 7571 DCC2 1DE7 4064
created ....: 2023-02-26 14:09:20
General key info..: [none]
Les champs qui nous intéressent :
Signature key ....: 5A79 88CB 3667 6795 A817 0DB7 CBBD AA0F 4B7C 7DD7
created ....: 2023-02-26 14:04:38
Encryption key....: 8695 C0E7 6ABC 2FFF F7CC 7D71 F8CE 04C4 D381 8C66
created ....: 2023-02-26 14:07:32
Authentication key: 1D9D 57AF C804 3C8E 1AA8 82ED 7571 DCC2 1DE7 4064
created ....: 2023-02-26 14:09:20
2023-02-26 14:04:38 va devenir 20230226T140438!
Création de la clef primaire (sign)
$ gpg --faked-system-time "20230226T140438!" --expert --full-generate-key
gpg: WARNING: running with faked system time: 2023-02-26 14:04:38
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 14
Serial number of the card: D27600012401030400050000BD620000
Available keys:
(1) 3F5417680639FCEF05C54803B408B83BA496E964 OPENPGP.1 brainpoolP512r1 (cert,sign)
(2) DC81057888D07B12268226B9F136013C4D32566D OPENPGP.2 brainpoolP512r1 (encr)
(3) F66AA9329AEA6F09D69DD852BF8233DE68119AF5 OPENPGP.3 brainpoolP512r1 (sign,auth)
Your selection? 1
Possible actions for a ECDSA/EdDSA key: Sign Certify
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(Q) Finished
Your selection? q
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 26 Feb 2024 03:04:38 PM CET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Bob MARLEY
Email address: bmarley@acme.fr
Comment:
You selected this USER-ID:
"Bob MARLEY <bmarley@acme.fr>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: directory '/home/jibe/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/jibe/.gnupg/openpgp-revocs.d/5A7988CB36676795A8170DB7CBBDAA0F4B7C7DD7.rev'
public and secret key created and signed.
pub brainpoolP512r1 2023-02-26 [SC] [expires: 2024-02-26]
5A79 88CB 3667 6795 A817 0DB7 CBBD AA0F 4B7C 7DD7
uid Bob MARLEY <bmarley@acme.fr>
Création des clefs secondaires
La seconde clef
$ gpg --faked-system-time "20230226T140732!" --expert --edit-key bmarley
gpg: WARNING: running with faked system time: 2023-02-26 14:07:32
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-02-26
sec brainpoolP512r1/CBBDAA0F4B7C7DD7
created: 2023-02-26 expires: 2024-02-26 usage: SC
card-no: 0005 0000BD62
trust: ultimate validity: ultimate
[ultimate] (1). Bob MARLEY <bmarley@acme.fr>
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 14
Serial number of the card: D27600012401030400050000BD620000
Available keys:
(1) 3F5417680639FCEF05C54803B408B83BA496E964 OPENPGP.1 brainpoolP512r1 (cert,sign)
(2) DC81057888D07B12268226B9F136013C4D32566D OPENPGP.2 brainpoolP512r1 (encr)
(3) F66AA9329AEA6F09D69DD852BF8233DE68119AF5 OPENPGP.3 brainpoolP512r1 (sign,auth)
Your selection? 2
Possible actions for a ECDH key: Encrypt
Current allowed actions: Encrypt
(E) Toggle the encrypt capability
(Q) Finished
Your selection? q
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 26 Feb 2024 03:07:32 PM CET
Is this correct? (y/N) y
Really create? (y/N) y
sec brainpoolP512r1/CBBDAA0F4B7C7DD7
created: 2023-02-26 expires: 2024-02-26 usage: SC
card-no: 0005 0000BD62
trust: ultimate validity: ultimate
ssb brainpoolP512r1/F8CE04C4D3818C66
created: 2023-02-26 expires: 2024-02-26 usage: E
card-no: 0005 0000BD62
[ultimate] (1). Bob MARLEY <bmarley@acme.fr>
gpg> quit
Save changes? (y/N) y
La troisieme clef
$ gpg --faked-system-time "20230226T140920!" --expert --edit-key bmarley
gpg: WARNING: running with faked system time: 2023-02-26 14:09:20
Secret key is available.
sec brainpoolP512r1/CBBDAA0F4B7C7DD7
created: 2023-02-26 expires: 2024-02-26 usage: SC
card-no: 0005 0000BD62
trust: ultimate validity: ultimate
ssb brainpoolP512r1/F8CE04C4D3818C66
created: 2023-02-26 expires: 2024-02-26 usage: E
card-no: 0005 0000BD62
[ultimate] (1). Bob MARLEY <bmarley@belaris.fr>
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 14
Serial number of the card: D27600012401030400050000BD620000
Available keys:
(1) 3F5417680639FCEF05C54803B408B83BA496E964 OPENPGP.1 brainpoolP512r1 (cert,sign)
(2) DC81057888D07B12268226B9F136013C4D32566D OPENPGP.2 brainpoolP512r1 (encr)
(3) F66AA9329AEA6F09D69DD852BF8233DE68119AF5 OPENPGP.3 brainpoolP512r1 (sign,auth)
Your selection? 3
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 26 Feb 2024 03:09:20 PM CET
Is this correct? (y/N) y
Really create? (y/N) y
sec brainpoolP512r1/CBBDAA0F4B7C7DD7
created: 2023-02-26 expires: 2024-02-26 usage: SC
card-no: 0005 0000BD62
trust: ultimate validity: ultimate
ssb brainpoolP512r1/F8CE04C4D3818C66
created: 2023-02-26 expires: 2024-02-26 usage: E
card-no: 0005 0000BD62
ssb brainpoolP512r1/7571DCC21DE74064
created: 2023-02-26 expires: 2024-02-26 usage: A
card-no: 0005 0000BD62
[ultimate] (1). Bob MARLEY <bmarley@belaris.fr>
gpg> quit
Save changes? (y/N) y
GPG - Publier sa clef sur un serveur
Voir aussi :
Serveur de clefs / keyservers SKS WKD - hkp / hkps:
Voir :
Remplacer SKS par WKD :
Serveur de clefs
gpg --refresh-keys gpg --keyserver key_server --refresh-keys
gpg --keyserver pgp.mit.edu --search-key
Publier
https://wiki.debian.org/fr/Subkeys
# gpg --send-keys --keyserver keyring.debian.org KeyID # gpg --send-keys --keyserver subkeys.pgp.net KeyID gpg --keyserver keyserver.ubuntu.com --send-key KeyID #gpg --keyserver hkps://keys.openpgp.org --send-key KeyID gpg --export KeyID | curl -T - https://keys.openpgp.org
Voir : https://keys.openpgp.org/about
Publier une clef que vous signé 
A vérifier
tsocks gpg --send-keys 5AA19646
Tor
Rafraîchissez vos clés l’une après l’autre. Parcimonie est un démon qui rafraîchit lentement votre trousseau de clés à partir d’un serveur de clés en passant par Tor. Il utilise un délai aléatoire
sudo apt-get install parcimonie
Penser à mettre à jour les clefs GPG via Tor grâce à parcimonie
http://genma.free.fr/?Mise-a-jour-des-clefs-GPG-via-Tor
You should not use gpg --refresh-keys or the refresh keys menu item on your email client because you disclose to anyone listening, and the keyserver operator, the whole set of keys that you are interested in refreshing.
blog.txt · Dernière modification : de 127.0.0.1