Fora
  • Getting Started
  • Outlining the differences
  • Frequently Asked Questions
  • Usage
    • Introduction
      • Inventories
      • Hosts & Groups
      • Scripts
    • Best practices
  • API
    • Operations Index
    • Fora API
      • fora.connectors
        • connectors.connector
        • connectors.local
        • connectors.ssh
        • connectors.tunnel_connector
        • connectors.tunnel_dispatcher
      • fora.operations
        • operations.api
        • operations.apt
        • operations.files
        • operations.git
        • operations.local
        • operations.pacman
        • operations.pip
        • operations.portage
        • operations.postgres
        • operations.system
        • operations.systemd
        • operations.utils
      • fora.connection
      • fora.example_deploys
      • fora.inventory_wrapper
      • fora.loader
      • fora.logger
      • fora.main
      • fora.remote_settings
      • fora.types
      • fora.utils
      • fora.version
  • Examples
    • Managing dotfiles
    • Using secrets
  • Links
    • Fora on GitHub
Powered by GitBook
On this page
  • Universal example
  • Example: Using age or gpg
  1. Examples

Using secrets

PreviousManaging dotfiles

Last updated 3 years ago

When your deploy repository is on GitHub or any other third party storage, you should properly encrypt your secrets. Fora doesn't provide any proprietary methods to do this, as there are plenty of libraries that solve this problem already.

As host and group modules are regular python modules, loading secrets with an external library is quite easy. While there are different ways to achieve the same things, I recommend decrypting the secret storage in your inventory. This is beneficial because groups might be executed multiple times (once for each host that uses it), and this way you only have to decrypt once.

Universal example

Generally, you can provide a global dictionary containing the secret values when the inventory is loaded. This allows those secrets to be accessed anywhere in your deploy.

import toml

_decrypted_toml = # decrypt a file using your method of choice
secrets = toml.loads(_decrypted_toml)

# ...
root_password_hash = secrets["desktops"]["root_password_hash"]

Example: Using age or gpg

A great option is to store secrets in an encrypted toml file. While age doesn't support Yubikeys out-of-the-box, using gpg may also be a good option. Using cryptography's fernet protocol might also be a viable option.

inventory.py
import toml, subprocess

with open("secrets.toml.age", "rb") as f:
    _decrypted_toml = subprocess.run(["age", "--decrypt"], input=f.read(), stdout=subprocess.PIPE, check=True).stdout.decode()
secrets = toml.loads(_decrypted_toml)

Encrypt a file using gpg --quiet --encrypt --recipient your-identity@example.com --output secrets.toml.gpg secrets.toml and delete the original.

inventory.py
import toml, subprocess

with open("secrets.toml.gpg", "rb") as f:
    _decrypted_toml = subprocess.run(["gpg", "--quiet", "--decrypt"], input=f.read(), stdout=subprocess.PIPE, check=True).stdout.decode()
secrets = toml.loads(_decrypted_toml)

# ...
[desktops]
root_password_hash = "$6$3gtzs4..."
age