Yet another secrets management toolkit

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for m-kus from gravatar.com m-kus

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Michael Zaikin
  • Maintainer: Michael Zaikin
  • Tags secret-management, password-store
  • Requires: Python >=3.6, <4.0
Classifiers

Project description

Hoba

PyPI version Build Status Made With License: MIT

Yet another secrets management toolkit based on passwordstore

hoba

Requirements

  • git
  • gnupg
  • pass
  • python 3.6+
  • pip 19.0.1+

Installation

$ pip install git+https://github.com/m-kus/hoba

Usage

All hoba commands work only if there is a hoba.yml file inside the current directory. File format will be described below.

Storing and sharing secrets

Pass is a great alternative to Hashicorp Vault and other enterprise secret storages, cause it's simple, safe, and portable. In my team we came to a pretty convenient scheme without loosing in security.

  1. All passwords encryption key, api keys, certificates, etc. are kept in a pass repo, which is gpg-encrypted and stored in git;
  2. Pass allows to implement simple access control policy for each tree node with inheritance;
  3. Each developer has to generate gpg key and add pubkey to the pass repo (keys are stored in .gpg-keys file);
  4. All developers have to import all keys from the repo and set maximum trust level;

You can do this manually, but there is a command which does pretty much the same:

$ hoba sync

Hoba can also spawn a shell with overrided PASSWORD_STORE_DIR environment variable:

$ hoba shell
$ pass

Deploying secrets

By default hoba looks for a default section inside the configuration file.

$ hoba gen

You can also specify target env:

$ hoba gen dev

Sample hoba configuration file:

password-store:
  repo_url: http://github.com/example.git
  repo_dir: ./.password-store
  
environments:
  dev:
    default:
  prod:
  
targets:
  - type: env_file
    output: ./.secrets/{ENV}.env
    variables:
      - DB_PASSWORD={ENV}/postgresql/password
    except:
      - dev

  - type: dir
    output: ./.secrets
    files:
      - ssl/example.com/cert_key:ssl/cert_key
      - ssl/example.com/dh_params:ssl/dh_params
    only:
      - prod

  - type: keyring
    output: ./.secrets/keyring_pass.cfg
    entries:
      - app@telegram:{ENV}/telegram/bot_api_key

Docker compose integration example:

version: "3.1"
services:
  nginx:
    environment:
      env_file:
      - ./.secrets/dev.env
    secrets:
      - cert_key
      - dh_params
      - source: keyring
        target: /root/.local/share/python_keyring/keyring_pass.cfg
    
secrets:
  cert_key:
    file: ./.secrets/ssl/cert_key
  dh_params:
    file: ./.secrets/ssl/dh_params
  keyring:
    file: ./.secrets/keyring_pass.cfg

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for m-kus from gravatar.com m-kus

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Michael Zaikin
  • Maintainer: Michael Zaikin
  • Tags secret-management, password-store
  • Requires: Python >=3.6, <4.0
Classifiers

Release history Release notifications | RSS feed

This version

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hoba-0.1.2.tar.gz (6.2 kB view hashes)

Uploaded Source

Built Distribution

hoba-0.1.2-py3-none-any.whl (6.8 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page