diff --git a/ansible.cfg b/ansible.cfg
index 2ebd2aad7ad98ed0ac8a0a5bf011666999ebe129..45f652161e5d2fe8377cdad863fd5e999c891dc5 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -41,8 +41,8 @@ fact_caching_timeout = 86400
# Use sudo to get priviledge access
become = True
-# Ask for password
-become_ask_pass = True
+# Use custom password request
+become_ask_pass = False
[ssh_connection]
diff --git a/vars_plugins/pass.ini.example b/vars_plugins/pass.ini.example
index 8878469f53e750e3252787bd94c870550a7ab5b2..3ec807eb3c501e5ffcd25d5411ccc3496caeba9e 100644
--- a/vars_plugins/pass.ini.example
+++ b/vars_plugins/pass.ini.example
@@ -1,3 +1,7 @@
[pass]
-password_store_dir=/home/me/.password-store
-crans_password_store_submodule=crans
+# password_store_dir=/home/me/.password-store
+# crans_password_store_submodule=crans
+
+[pass_become]
+# all=mdp-root
+# adh_server=mdp-zamok
diff --git a/vars_plugins/pass.py b/vars_plugins/pass.py
index 0c53f614037984ea37220a0515f942d3785ab758..6db46854942de243e7de51f501933545048cb6b0 100644
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
@@ -1,6 +1,7 @@
#!/usr/bin/env python
from functools import lru_cache
+from getpass import getpass
import os
from pathlib import Path
import subprocess
@@ -28,7 +29,7 @@ DOCUMENTATION = """
class VarsModule(BaseVarsPlugin):
@staticmethod
@lru_cache
- def vault_passwords():
+ def decrypt_password(name, crans_submodule=False):
"""
Passwords are decrypted from the local password store, then are cached.
By that way, we don't decrypt these passwords everytime.
@@ -39,14 +40,36 @@ class VarsModule(BaseVarsPlugin):
password_store = Path(config.get('pass', 'password_store_dir',
fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
- crans_submodule = config.get('pass', 'crans_password_store_submodule',
- fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
- full_command = ['gpg', '-d', password_store / crans_submodule / 'ansible_vault.gpg']
+
+ if crans_submodule:
+ password_store /= config.get('pass', 'crans_password_store_submodule',
+ fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
+ full_command = ['gpg', '-d', password_store / f'{name}.gpg']
proc = subprocess.run(full_command, capture_output=True, close_fds=True)
clear_text = proc.stdout.decode('UTF-8')
sys.stderr.write(proc.stderr.decode('UTF-8'))
return clear_text
+ @staticmethod
+ @lru_cache
+ def become_password(entity):
+ """
+ Query the become password that should be used for the given entity.
+ If entity is the whole group that has no default password,
+ the become password will be prompted.
+ The configuration should be given in pass.ini, in the `pass_become`
+ group. You have only to write `group=pass-filename`.
+ """
+ # Load config
+ config = configparser.ConfigParser()
+ config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
+ if config.has_option('pass_become', entity.get_name()):
+ return VarsModule.decrypt_password(
+ config.get('pass_become', entity.get_name())).split('\n')[0]
+ if entity.get_name() == "all":
+ return getpass("BECOME password: ", stream=None)
+ return None
+
def get_vars(self, loader, path, entities):
"""
Get all vars for entities, called by Ansible.
@@ -63,4 +86,17 @@ class VarsModule(BaseVarsPlugin):
# It is way to much.
# So we cache the data into the DataLoader (see parsing/DataLoader).
- return {'vault': loader.load(VarsModule.vault_passwords())}
+ passwords = {}
+
+ for entity in entities:
+ # Load vault passwords
+ if entity.get_name() == 'all':
+ passwords['vault'] = loader.load(
+ VarsModule.decrypt_password('ansible_vault', True))
+
+ # Load become password
+ become_password = VarsModule.become_password(entity)
+ if become_password is not None:
+ passwords['ansible_become_password'] = become_password
+
+ return passwords