From 39441c81f50e33db6a6b05b4eab02b74f173cb40 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Sun, 28 Feb 2021 11:54:48 +0100
Subject: [PATCH] Load environment variables from configuration file

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 .gitignore                    |  3 ++-
 vars_plugins/pass.ini.example |  3 +++
 vars_plugins/pass.py          | 15 ++++++++++++---
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 vars_plugins/pass.ini.example

diff --git a/.gitignore b/.gitignore
index 11f11772..4248ee18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,5 @@ __pycache__
 env/
 # ignore dummy_playbook
 debug.yml
-group_vars/all/vault.yml
+# ignore local variables that are used to load passwords
+vars_plugins/pass.ini
diff --git a/vars_plugins/pass.ini.example b/vars_plugins/pass.ini.example
new file mode 100644
index 00000000..8878469f
--- /dev/null
+++ b/vars_plugins/pass.ini.example
@@ -0,0 +1,3 @@
+[pass]
+password_store_dir=/home/me/.password-store
+crans_password_store_submodule=crans
diff --git a/vars_plugins/pass.py b/vars_plugins/pass.py
index 228cebe7..0c53f614 100644
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
@@ -1,10 +1,12 @@
 #!/usr/bin/env python
+
 from functools import lru_cache
-from os import getenv
+import os
 from pathlib import Path
 import subprocess
 import sys
 
+from ansible.module_utils.six.moves import configparser
 from ansible.plugins.vars import BaseVarsPlugin
 
 
@@ -31,8 +33,15 @@ class VarsModule(BaseVarsPlugin):
         Passwords are decrypted from the local password store, then are cached.
         By that way, we don't decrypt these passwords everytime.
         """
-        password_store = Path(getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store'))
-        full_command = ['gpg', '-d', password_store / getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans') / 'ansible_vault.gpg']
+        # Load config
+        config = configparser.ConfigParser()
+        config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
+
+        password_store = Path(config.get('pass', 'password_store_dir',
+            fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
+        crans_submodule = config.get('pass', 'crans_password_store_submodule',
+                fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
+        full_command = ['gpg', '-d', password_store / crans_submodule / 'ansible_vault.gpg']
         proc = subprocess.run(full_command, capture_output=True, close_fds=True)
         clear_text = proc.stdout.decode('UTF-8')
         sys.stderr.write(proc.stderr.decode('UTF-8'))
-- 
GitLab