Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/m-kus/hoba

😼 Yet another secrets management tool
https://github.com/m-kus/hoba

devops devops-tools docker docker-compose gpg pass password-store secret-management secrets

Last synced: about 1 month ago
JSON representation

😼 Yet another secrets management tool

Host: GitHub
URL: https://github.com/m-kus/hoba
Owner: m-kus
License: mit
Created: 2019-03-25T16:15:20.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2020-03-17T16:25:16.000Z (over 4 years ago)
Last Synced: 2024-10-11T09:21:30.988Z (about 1 month ago)
Topics: devops, devops-tools, docker, docker-compose, gpg, pass, password-store, secret-management, secrets
Language: Python
Homepage:
Size: 24.4 KB
Stars: 2
Watchers: 0
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Hoba

[![PyPI version](https://badge.fury.io/py/hoba.svg?)](https://badge.fury.io/py/hoba)
[![Build Status](https://travis-ci.org/m-kus/hoba.svg?branch=master)](https://travis-ci.org/m-kus/hoba)
[![Made With](https://img.shields.io/badge/made%20with-python-blue.svg?)](https://www.python.org)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

Yet another secrets management toolkit based on [passwordstore](https://www.passwordstore.org/)

![hoba](http://memesmix.net/media/download.php?meme=weqlu4)

## Requirements

* git
* gnupg
* pass
* python 3.6+
* pip 19.0.1+

#### Ubuntu
```
$ sudo apt install gnupg2 pass
```

## Installation

```
$ pip install hoba
```

## Usage

All hoba commands work only if there is a ```hoba.yml``` file inside the current directory. File format will be described below.

### Storing and sharing secrets

Pass is a great alternative to Hashicorp Vault and other enterprise secret storages, cause it's simple, safe, and portable. In my team we came to a pretty convenient scheme without loosing in security.

1. All passwords encryption key, api keys, certificates, etc. are kept in a pass repo, which is gpg-encrypted and stored in git;
2. Pass allows to implement simple access control policy for each tree node with inheritance;
3. Each developer has to generate gpg key and add pubkey to the pass repo (keys are stored in .gpg-keys file);
4. All developers have to import all keys from the repo and set maximum trust level;

You can do this manually, but there is a command which does pretty much the same:

```
$ hoba sync
```

Hoba can also spawn a shell with overrided `PASSWORD_STORE_DIR` environment variable:

```
$ hoba shell
$ pass
```

### Deploying secrets

By default hoba looks for a ```default``` section inside the configuration file.

```
$ hoba gen
```

You can also specify target env:

```
$ hoba gen dev
```

Sample hoba configuration file:

```yaml
password-store:
repo_url: http://github.com/example.git
repo_dir: ./.password-store

environments:
dev:
default:
prod:

targets:
- type: env_file
output: ./.secrets/{ENV}.env
variables:
- DB_PASSWORD={ENV}/postgresql/password
except:
- dev

- type: dir
output: ./.secrets
files:
- ssl/example.com/cert_key:ssl/cert_key
- ssl/example.com/dh_params:ssl/dh_params
only:
- prod

- type: keyring
output: ./.secrets/keyring_pass.cfg
entries:
- app@telegram:{ENV}/telegram/bot_api_key
```

Docker compose integration example:

```yaml
version: "3.1"
services:
nginx:
environment:
env_file:
- ./.secrets/dev.env
secrets:
- cert_key
- dh_params
- source: keyring
target: /root/.local/share/python_keyring/keyring_pass.cfg

secrets:
cert_key:
file: ./.secrets/ssl/cert_key
dh_params:
file: ./.secrets/ssl/dh_params
keyring:
file: ./.secrets/keyring_pass.cfg
```