#!/usr/bin/env bash set -euo pipefail REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}" VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}" usage() { cat < "$VAULT_PASS_FILE" import secrets print(secrets.token_urlsafe(48)) PY chmod 600 "$VAULT_PASS_FILE" echo "已建立 vault password file: $VAULT_PASS_FILE" fi } cmd="${1:-}" case "$cmd" in init) ensure_pass ;; view) ensure_pass ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" ;; edit) ensure_pass [ -f "$VAULT_FILE" ] || { echo "找不到 $VAULT_FILE"; exit 1; } ansible-vault edit "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" ;; encrypt) ensure_pass src="${2:-}" [ -n "$src" ] || { usage; exit 1; } cp "$src" "$VAULT_FILE" ansible-vault encrypt "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" ;; decrypt) ensure_pass out="${2:-}" [ -n "$out" ] || { usage; exit 1; } ansible-vault decrypt "$VAULT_FILE" --output "$out" --vault-password-file "$VAULT_PASS_FILE" chmod 600 "$out" || true ;; rekey) ensure_pass tmp_new="$(mktemp)" chmod 600 "$tmp_new" python3 - <<'PY' > "$tmp_new" import secrets print(secrets.token_urlsafe(48)) PY ansible-vault rekey "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" --new-vault-password-file "$tmp_new" mv "$tmp_new" "$VAULT_PASS_FILE" chmod 600 "$VAULT_PASS_FILE" echo "已更新 vault key: $VAULT_PASS_FILE" ;; *) usage exit 1 ;; esac