#!/bin/bash # ============================================================================= # Generate vault.yml with random passwords # ============================================================================= # Usage: ./generate-vault.sh # Output: group_vars/vault.yml (ready to encrypt) set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" VAULT_FILE="$SCRIPT_DIR/group_vars/vault.yml" # Generate alphanumeric passwords (no special chars - safe for connection strings) generate_password() { local length=${1:-32} openssl rand -base64 48 | tr -d '/+=\n' | head -c "$length" } # Generate base64 encryption key (for AES-256-GCM) generate_encryption_key() { openssl rand -base64 32 } echo "Generating vault.yml with random passwords..." cat > "$VAULT_FILE" << EOF --- # ============================================================================= # NetBird v1.6 Vault Secrets # ============================================================================= # Generated: $(date -Iseconds) # Encrypt with: ansible-vault encrypt group_vars/vault.yml # TURN server password vault_turn_password: "$(generate_password 32)" # Relay secret vault_relay_secret: "$(generate_password 32)" # Encryption key for embedded IdP (AES-256-GCM) # CRITICAL: Back this up! Loss prevents recovery of user data. vault_encryption_key: "$(generate_encryption_key)" # ============================================================================= # User Provisioning # ============================================================================= # Initial admin password (for setup-bootstrap.yml) vault_admin_password: "$(generate_password 20)" # Service user PAT for API automation # LEAVE EMPTY - fill after running setup-bootstrap.yml and creating PAT in dashboard vault_netbird_service_pat: "" EOF echo "" echo "Generated: $VAULT_FILE" echo "" echo "Contents:" echo "----------------------------------------" cat "$VAULT_FILE" echo "----------------------------------------" echo "" echo "Next steps:" echo " 1. Review the file above" echo " 2. Encrypt: ansible-vault encrypt group_vars/vault.yml" echo " 3. Deploy: ansible-playbook -i inventory.yml playbook-ssl-ip.yml --ask-vault-pass" echo " 4. Bootstrap: ansible-playbook -i inventory.yml setup-bootstrap.yml --ask-vault-pass" echo " 5. Create service user PAT in dashboard, add to vault.yml" echo " 6. Groups: ansible-playbook -i inventory.yml setup-groups.yml --ask-vault-pass" echo " 7. Users: ansible-playbook -i inventory.yml setup-users.yml --ask-vault-pass"