hermes/agent-secret-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add installer env configuration

Browse Source
This commit is contained in:
hermes
2026-05-14 17:29:29 +08:00
parent 1cd0bfb9f2
commit 525161dd0c
7 changed files with 139 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -13,3 +13,6 @@ secrets/vault-pass.txt
# Placeholder marker generated when password archive is absent # Placeholder marker generated when password archive is absent
secrets/vault-pass.txt.zip.PLACEHOLDER secrets/vault-pass.txt.zip.PLACEHOLDER
# Local installer env overrides with real secrets
install.local.env
*.secret.env

9
README.md
View File

@@ -17,6 +17,15 @@
- Agent 整合補充:[`docs/agent-integration.md`](docs/agent-integration.md) - Agent 整合補充:[`docs/agent-integration.md`](docs/agent-integration.md)
- Vault 基礎說明:[`docs/secret-vault.md`](docs/secret-vault.md) - Vault 基礎說明:[`docs/secret-vault.md`](docs/secret-vault.md)
## 安裝設定檔
Repo 內提供:
- `install.env.example`:給人類/agent 複製參考
- `install.env`:空值 placeholder可在安裝前填入 `INSTALL_VAULT_PASS_METHOD``VAULT_PASS_URL``VAULT_PASS_ZIP_PASSWORD_FILE` 等設定
`install.env` 不應填入真實 secrets 後再 commit若要保存本機私密設定使用 `install.local.env` 並透過 `INSTALL_ENV_FILE=install.local.env` 指定。
## 全自動 agent 安裝 ## 全自動 agent 安裝
```bash ```bash

39
docs/agent-install-runbook.md
View File

@@ -56,6 +56,43 @@ PLACEHOLDER
然後回報人類:需要把此 agent / 機器的 SSH public key 加到 Gitea 或 deploy key。 然後回報人類:需要把此 agent / 機器的 SSH public key 加到 Gitea 或 deploy key。
## 2.5 設定 installer env
Repo 內提供兩個 env 檔:
```text
install.env.example # 範本
install.env # 安裝用 placeholder
```
安裝前先設定 `install.env`
```bash
cd ~/projects/agent-secret-vault
cp -n install.env.example install.env
editor install.env
```
常用設定:
```bash
# 一次性 URL 下載 vault-pass.txt
INSTALL_VAULT_PASS_METHOD="url"
VAULT_PASS_URL="https://example.com/one-time/vault-pass.txt"
# 或zip 密碼放在本機安全檔案
INSTALL_VAULT_PASS_METHOD="archive"
VAULT_PASS_ZIP_PASSWORD_FILE="/secure/path/zip-password.txt"
```
若需要使用另一個 env 檔:
```bash
INSTALL_ENV_FILE=install.local.env ./scripts/install-vault-pass.sh
```
不要把含真實密碼/token 的 env 檔 commit。
## 3. 安裝 vault password file ## 3. 安裝 vault password file
標準位置: 標準位置:
@@ -123,7 +160,7 @@ export VAULT_PASS_FILE=/path/to/vault-pass.txt
### Agent 全自動安裝(避免卡在互動密碼) ### Agent 全自動安裝(避免卡在互動密碼)
若安裝由 AI agent / CI 執行,不要走互動 prompt。用以下任一非互動方式 若安裝由 AI agent / CI 執行,不要走互動 prompt。優先把設定寫進 `install.env``install.local.env`,也可用以下任一非互動方式:
```bash ```bash
# 方式 A從安全 URL 下載 vault-pass.txt # 方式 A從安全 URL 下載 vault-pass.txt

24
docs/human-guide.md
View File

@@ -66,6 +66,30 @@ git push
腳本會要求互動輸入 zip 密碼。這個 zip 密碼不要寫進 repo、chat 或 log交給安裝者時用另外的安全渠道。 腳本會要求互動輸入 zip 密碼。這個 zip 密碼不要寫進 repo、chat 或 log交給安裝者時用另外的安全渠道。
## 安裝時設定 vault-pass
安裝流程建議先填 repo 內的 env 檔:
```bash
cd ~/projects/agent-secret-vault
cp -n install.env.example install.env
editor install.env
./scripts/install-vault-pass.sh
```
`install.env` 可設定:
- `INSTALL_VAULT_PASS_METHOD=url` + `VAULT_PASS_URL=...`
- `INSTALL_VAULT_PASS_METHOD=archive` + `VAULT_PASS_ZIP_PASSWORD_FILE=...`
- `INSTALL_VAULT_PASS_METHOD=manual` + `VAULT_PASS_CONTENT=...`
- `INSTALL_VAULT_PASS_METHOD=create`
若 env 內含真實 secrets不要 commit。可改用 `install.local.env`,再執行:
```bash
INSTALL_ENV_FILE=install.local.env ./scripts/install-vault-pass.sh
```
## 給 agent 的全自動安裝方式 ## 給 agent 的全自動安裝方式
如果目標是「AI agent 直接安裝,不要卡在互動輸入密碼」,請不要讓 agent 選互動 zip 解壓。改用環境變數指定方法: 如果目標是「AI agent 直接安裝,不要卡在互動輸入密碼」,請不要讓 agent 選互動 zip 解壓。改用環境變數指定方法:

10
install.env Normal file
View File

@@ -0,0 +1,10 @@
# Local installer config for agent-secret-vault.
# Fill this file before running ./scripts/install-vault-pass.sh.
# WARNING: this file may contain secrets. Do not commit real values.
VAULT_PASS_FILE="$HOME/.config/vault-pass.txt"
INSTALL_VAULT_PASS_METHOD=""
VAULT_PASS_CONTENT=""
VAULT_PASS_URL=""
VAULT_PASS_ZIP_PASSWORD_FILE=""
VAULT_PASS_ZIP_PASSWORD=""

32
install.env.example Normal file
View File

@@ -0,0 +1,32 @@
# agent-secret-vault installer env template
#
# Usage:
# cp install.env.example install.env
# editor install.env
# ./scripts/install-vault-pass.sh
#
# Keep real install.env private. It may contain secrets.
# Where to install/read the Ansible Vault password file.
VAULT_PASS_FILE="$HOME/.config/vault-pass.txt"
# Choose one method: create | manual | url | archive
# Leave empty for interactive menu.
INSTALL_VAULT_PASS_METHOD=""
# Method: manual
# Direct vault-pass.txt content. Avoid this unless running in a secure local shell.
VAULT_PASS_CONTENT=""
# Method: url
# One-time HTTPS URL containing vault-pass.txt.
VAULT_PASS_URL=""
# Method: archive
# Password-protected zip path defaults to secrets/vault-pass.txt.zip.
# Put zip password in a local file when possible. Safer than putting it inline.
VAULT_PASS_ZIP_PASSWORD_FILE=""
# Method: archive fallback
# Inline zip password. Avoid in shared shells/logging environments.
VAULT_PASS_ZIP_PASSWORD=""

24
scripts/install-vault-pass.sh
View File

@@ -5,6 +5,23 @@ REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}" DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}" ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}" VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
ENV_FILE="${INSTALL_ENV_FILE:-$REPO_DIR/install.env}"
load_env_file() {
if [ -f "$ENV_FILE" ]; then
set -a
# shellcheck disable=SC1090
. "$ENV_FILE"
set +a
fi
}
load_env_file
# Re-apply env-configurable paths after loading install.env.
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
ARCHIVE="${VAULT_PASS_ARCHIVE:-${1:-$REPO_DIR/secrets/vault-pass.txt.zip}}"
VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
# Optional non-interactive controls: # Optional non-interactive controls:
# INSTALL_VAULT_PASS_METHOD=create|manual|url|archive # INSTALL_VAULT_PASS_METHOD=create|manual|url|archive
# VAULT_PASS_CONTENT=<content> (for method=manual) # VAULT_PASS_CONTENT=<content> (for method=manual)
@@ -16,6 +33,11 @@ usage() {
cat <<USAGE cat <<USAGE
Usage: scripts/install-vault-pass.sh [archive.zip] Usage: scripts/install-vault-pass.sh [archive.zip]
Loads installer env from:
${INSTALL_ENV_FILE:-$REPO_DIR/install.env}
Override with:
INSTALL_ENV_FILE=/path/to/install.env ./scripts/install-vault-pass.sh
Installs the Ansible Vault password file to: Installs the Ansible Vault password file to:
${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt} ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
@@ -27,7 +49,7 @@ Interactive behavior:
[3] Download vault-pass.txt from a user-provided URL [3] Download vault-pass.txt from a user-provided URL
[4] Extract vault-pass.txt from a password-protected zip archive [4] Extract vault-pass.txt from a password-protected zip archive
Non-interactive agent mode: Non-interactive agent mode (via install.env or environment variables):
INSTALL_VAULT_PASS_METHOD=create ./scripts/install-vault-pass.sh INSTALL_VAULT_PASS_METHOD=create ./scripts/install-vault-pass.sh
VAULT_PASS_CONTENT='...' INSTALL_VAULT_PASS_METHOD=manual ./scripts/install-vault-pass.sh VAULT_PASS_CONTENT='...' INSTALL_VAULT_PASS_METHOD=manual ./scripts/install-vault-pass.sh
VAULT_PASS_URL='https://...' INSTALL_VAULT_PASS_METHOD=url ./scripts/install-vault-pass.sh VAULT_PASS_URL='https://...' INSTALL_VAULT_PASS_METHOD=url ./scripts/install-vault-pass.sh