Yet another secrets management toolkit
Project description
Hoba
Yet another secrets management toolkit based on passwordstore
Requirements
- git
- gnupg
- pass
- python 3.6+
- pip 19.0.1+
Installation
$ pip install git+https://github.com/m-kus/hoba
Usage
All hoba commands work only if there is a hoba.yml
file inside the current directory. File format will be described below.
Storing and sharing secrets
Pass is a great alternative to Hashicorp Vault and other enterprise secret storages, cause it's simple, safe, and portable. In my team we came to a pretty convenient scheme without loosing in security.
- All passwords encryption key, api keys, certificates, etc. are kept in a pass repo, which is gpg-encrypted and stored in git;
- Pass allows to implement simple access control policy for each tree node with inheritance;
- Each developer has to generate gpg key and add pubkey to the pass repo (keys are stored in .gpg-keys file);
- All developers have to import all keys from the repo and set maximum trust level;
You can do this manually, but there is a command which does pretty much the same:
$ hoba sync
Hoba can also spawn a shell with overrided PASSWORD_STORE_DIR
environment variable:
$ hoba shell
$ pass
Deploying secrets
By default hoba looks for a default
section inside the configuration file.
$ hoba gen
You can also specify target env:
$ hoba gen dev
Sample hoba configuration file:
password-store:
repo_url: http://github.com/example.git
repo_dir: ./.password-store
environments:
dev:
default:
prod:
targets:
- type: env_file
output: ./.secrets/{ENV}.env
variables:
- DB_PASSWORD={ENV}/postgresql/password
except:
- dev
- type: dir
output: ./.secrets
files:
- ssl/example.com/cert_key:ssl/cert_key
- ssl/example.com/dh_params:ssl/dh_params
only:
- prod
- type: keyring
output: ./.secrets/keyring_pass.cfg
entries:
- app@telegram:{ENV}/telegram/bot_api_key
Docker compose integration example:
version: "3.1"
services:
nginx:
environment:
env_file:
- ./.secrets/dev.env
secrets:
- cert_key
- dh_params
- source: keyring
target: /root/.local/share/python_keyring/keyring_pass.cfg
secrets:
cert_key:
file: ./.secrets/ssl/cert_key
dh_params:
file: ./.secrets/ssl/dh_params
keyring:
file: ./.secrets/keyring_pass.cfg
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file hoba-0.1.2.tar.gz
.
File metadata
- Download URL: hoba-0.1.2.tar.gz
- Upload date:
- Size: 6.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/0.12.17 CPython/3.7.0 Linux/4.15.0-54-generic
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c5a192ba0ff0c040c56228c09738280dc8c3b28c06ab774ad5ccdb7308958eb6 |
|
MD5 | 7efd1a8a9353bb5cddfd34f43bd6ac50 |
|
BLAKE2b-256 | f16137822bfc29f96e31ae71d1b750db2c950923616e25ce19c315d46a5336da |
File details
Details for the file hoba-0.1.2-py3-none-any.whl
.
File metadata
- Download URL: hoba-0.1.2-py3-none-any.whl
- Upload date:
- Size: 6.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/0.12.17 CPython/3.7.0 Linux/4.15.0-54-generic
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a72ed926c4d3c0dec28c938ff0dd246686eaf5a02e2fc4e9874590ec2e6b834c |
|
MD5 | 0fd83b49d2e370b0c4409dc8f886965d |
|
BLAKE2b-256 | 620eaaa237898e8baef27b4368c2747d5814a0f798901f8d290558f8325f39a8 |