72 lines
2.5 KiB
Bash
Executable File
72 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# =============================================================================
|
|
# Generate vault.yml with random passwords
|
|
# =============================================================================
|
|
# Usage: ./generate-vault.sh
|
|
# Output: group_vars/vault.yml (ready to encrypt)
|
|
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
VAULT_FILE="$SCRIPT_DIR/group_vars/vault.yml"
|
|
|
|
# Generate alphanumeric passwords (no special chars - safe for connection strings)
|
|
generate_password() {
|
|
local length=${1:-32}
|
|
openssl rand -base64 48 | tr -d '/+=\n' | head -c "$length"
|
|
}
|
|
|
|
# Generate base64 encryption key (for AES-256-GCM)
|
|
generate_encryption_key() {
|
|
openssl rand -base64 32
|
|
}
|
|
|
|
echo "Generating vault.yml with random passwords..."
|
|
|
|
cat > "$VAULT_FILE" << EOF
|
|
---
|
|
# =============================================================================
|
|
# NetBird v1.6 Vault Secrets
|
|
# =============================================================================
|
|
# Generated: $(date -Iseconds)
|
|
# Encrypt with: ansible-vault encrypt group_vars/vault.yml
|
|
|
|
# TURN server password
|
|
vault_turn_password: "$(generate_password 32)"
|
|
|
|
# Relay secret
|
|
vault_relay_secret: "$(generate_password 32)"
|
|
|
|
# Encryption key for embedded IdP (AES-256-GCM)
|
|
# CRITICAL: Back this up! Loss prevents recovery of user data.
|
|
vault_encryption_key: "$(generate_encryption_key)"
|
|
|
|
# =============================================================================
|
|
# User Provisioning
|
|
# =============================================================================
|
|
|
|
# Initial admin password (for setup-bootstrap.yml)
|
|
vault_admin_password: "$(generate_password 20)"
|
|
|
|
# Service user PAT for API automation
|
|
# LEAVE EMPTY - fill after running setup-bootstrap.yml and creating PAT in dashboard
|
|
vault_netbird_service_pat: ""
|
|
EOF
|
|
|
|
echo ""
|
|
echo "Generated: $VAULT_FILE"
|
|
echo ""
|
|
echo "Contents:"
|
|
echo "----------------------------------------"
|
|
cat "$VAULT_FILE"
|
|
echo "----------------------------------------"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo " 1. Review the file above"
|
|
echo " 2. Encrypt: ansible-vault encrypt group_vars/vault.yml"
|
|
echo " 3. Deploy: ansible-playbook -i inventory.yml playbook-ssl-ip.yml --ask-vault-pass"
|
|
echo " 4. Bootstrap: ansible-playbook -i inventory.yml setup-bootstrap.yml --ask-vault-pass"
|
|
echo " 5. Create service user PAT in dashboard, add to vault.yml"
|
|
echo " 6. Groups: ansible-playbook -i inventory.yml setup-groups.yml --ask-vault-pass"
|
|
echo " 7. Users: ansible-playbook -i inventory.yml setup-users.yml --ask-vault-pass"
|