golden hour
/opt/saltstack/salt/lib/python3.10/site-packages/salt/runners/__pycache__
⬆️ Go Up
Upload
File/Folder
Size
Actions
__init__.cpython-310.pyc
197 B
Del
OK
asam.cpython-310.pyc
7.9 KB
Del
OK
auth.cpython-310.pyc
1.89 KB
Del
OK
bgp.cpython-310.pyc
12.55 KB
Del
OK
cache.cpython-310.pyc
10.98 KB
Del
OK
cloud.cpython-310.pyc
4.16 KB
Del
OK
config.cpython-310.pyc
1.08 KB
Del
OK
ddns.cpython-310.pyc
6.7 KB
Del
OK
digicertapi.cpython-310.pyc
16.23 KB
Del
OK
doc.cpython-310.pyc
1.76 KB
Del
OK
drac.cpython-310.pyc
4.15 KB
Del
OK
error.cpython-310.pyc
771 B
Del
OK
event.cpython-310.pyc
2.32 KB
Del
OK
f5.cpython-310.pyc
8.29 KB
Del
OK
fileserver.cpython-310.pyc
17.12 KB
Del
OK
git_pillar.cpython-310.pyc
3.54 KB
Del
OK
http.cpython-310.pyc
2.55 KB
Del
OK
jobs.cpython-310.pyc
13.26 KB
Del
OK
launchd.cpython-310.pyc
1.49 KB
Del
OK
lxc.cpython-310.pyc
13.3 KB
Del
OK
manage.cpython-310.pyc
21.71 KB
Del
OK
mattermost.cpython-310.pyc
4.21 KB
Del
OK
mine.cpython-310.pyc
1.79 KB
Del
OK
nacl.cpython-310.pyc
8.46 KB
Del
OK
net.cpython-310.pyc
27.7 KB
Del
OK
network.cpython-310.pyc
2.59 KB
Del
OK
pagerduty.cpython-310.pyc
3.96 KB
Del
OK
pillar.cpython-310.pyc
4.25 KB
Del
OK
pkg.cpython-310.pyc
1.37 KB
Del
OK
queue.cpython-310.pyc
8.14 KB
Del
OK
reactor.cpython-310.pyc
4.32 KB
Del
OK
salt.cpython-310.pyc
4.58 KB
Del
OK
saltutil.cpython-310.pyc
15.88 KB
Del
OK
sdb.cpython-310.pyc
2.54 KB
Del
OK
smartos_vmadm.cpython-310.pyc
7.99 KB
Del
OK
spacewalk.cpython-310.pyc
7.54 KB
Del
OK
ssh.cpython-310.pyc
1000 B
Del
OK
state.cpython-310.pyc
8.22 KB
Del
OK
survey.cpython-310.pyc
5.07 KB
Del
OK
test.cpython-310.pyc
2.65 KB
Del
OK
thin.cpython-310.pyc
1.81 KB
Del
OK
vault.cpython-310.pyc
10.01 KB
Del
OK
venafiapi.cpython-310.pyc
5.57 KB
Del
OK
virt.cpython-310.pyc
13.15 KB
Del
OK
vistara.cpython-310.pyc
4.39 KB
Del
OK
winrepo.cpython-310.pyc
5.14 KB
Del
OK
Edit: nacl.cpython-310.pyc
o �xe� � @ sj d Z ddlZdZdd� Zddd�Zdd � Zdd d�Zdd � Zddd�Z dd� Z dd� Zdd� Zdd� Z dS )a� This module helps include encrypted passwords in pillars, grains and salt state files. :depends: PyNaCl, https://github.com/pyca/pynacl This is often useful if you wish to store your pillars in source control or share your pillar data with others that you trust. I don't advise making your pillars public regardless if they are encrypted or not. :configuration: The following configuration defaults can be define (pillar or config files) Avoid storing private keys in pillars! Ensure master does not have `pillar_opts=True`: .. code-block:: python # cat /etc/salt/master.d/nacl.conf nacl.config: # NOTE: `key` and `key_file` have been renamed to `sk`, `sk_file` # also `box_type` default changed from secretbox to sealedbox. box_type: sealedbox (default) sk_file: /etc/salt/pki/master/nacl (default) pk_file: /etc/salt/pki/master/nacl.pub (default) sk: None pk: None Usage can override the config defaults: .. code-block:: bash salt-run nacl.enc sk_file=/etc/salt/pki/master/nacl pk_file=/etc/salt/pki/master/nacl.pub The nacl lib uses 32byte keys, these keys are base64 encoded to make your life more simple. To generate your `sk_file` and `pk_file` use: .. code-block:: bash salt-run nacl.keygen sk_file=/etc/salt/pki/master/nacl # or if you want to work without files. salt-run nacl.keygen local: ---------- pk: /kfGX7PbWeu099702PBbKWLpG/9p06IQRswkdWHCDk0= sk: SVWut5SqNpuPeNzb1b9y6b2eXg2PLIog43GBzp48Sow= Now with your keypair, you can encrypt data: You have two option, `sealedbox` or `secretbox`. SecretBox is data encrypted using private key `pk`. Sealedbox is encrypted using public key `pk`. Recommend using Sealedbox because the one way encryption permits developers to encrypt data for source control but not decrypt. Sealedbox only has one key that is for both encryption and decryption. .. code-block:: bash salt-run nacl.enc asecretpass pk=/kfGX7PbWeu099702PBbKWLpG/9p06IQRswkdWHCDk0= tqXzeIJnTAM9Xf0mdLcpEdklMbfBGPj2oTKmlgrm3S1DTVVHNnh9h8mU1GKllGq/+cYsk6m5WhGdk58= To decrypt the data: .. code-block:: bash salt-run nacl.dec data='tqXzeIJnTAM9Xf0mdLcpEdklMbfBGPj2oTKmlgrm3S1DTVVHNnh9h8mU1GKllGq/+cYsk6m5WhGdk58=' sk='SVWut5SqNpuPeNzb1b9y6b2eXg2PLIog43GBzp48Sow=' When the keys are defined in the master config you can use them from the nacl runner without extra parameters: .. code-block:: python # cat /etc/salt/master.d/nacl.conf nacl.config: sk_file: /etc/salt/pki/master/nacl pk: 'cTIqXwnUiD1ulg4kXsbeCE7/NoeKEzd4nLeYcCFpd9k=' .. code-block:: bash salt-run nacl.enc 'asecretpass' salt-run nacl.dec data='tqXzeIJnTAM9Xf0mdLcpEdklMbfBGPj2oTKmlgrm3S1DTVVHNnh9h8mU1GKllGq/+cYsk6m5WhGdk58=' .. code-block:: yaml # a salt developers minion could have pillar data that includes a nacl public key nacl.config: pk: '/kfGX7PbWeu099702PBbKWLpG/9p06IQRswkdWHCDk0=' The developer can then use a less-secure system to encrypt data. .. code-block:: bash salt-run nacl.enc apassword Pillar files can include protected data that the salt master decrypts: .. code-block:: jinja pillarexample: user: root password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}} cert_key: {{salt.nacl.dec_file('/srv/salt/certs/example.com/key.nacl')|json}} cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/key.nacl')|json}} Larger files like certificates can be encrypted with: .. code-block:: bash salt-run nacl.enc_file /tmp/cert.crt out=/tmp/cert.nacl � N�naclc C s t d du rdS tjj�� S )NZ fips_modeT)Fz&nacl runner not available in FIPS mode)�__opts__�salt�utilsr Zcheck_requirements� r r �E/opt/saltstack/salt/lib/python3.10/site-packages/salt/runners/nacl.py�__virtual__x s r c K � t |d<