diff --git a/.gitignore b/.gitignore
index 8e12a020d29da48a16fb56185e776b735cd7d655..11f1177228fc6c2a1b84e1772b7ee34d17014966 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ __pycache__
env/
# ignore dummy_playbook
debug.yml
+group_vars/all/vault.yml
diff --git a/ansible.cfg b/ansible.cfg
index 32a6f327da84e4c287712c915da421f2b3b1a6eb..720ce9595c6c18062ce8b89616143de85a7e6ab3 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,7 +5,6 @@
# Explicitely redefined some defaults to make play execution work
roles_path = ./roles
action_plugins = ./action_plugins
-vars_plugins = ./vars_plugins
lookup_plugins = ./lookup_plugins
# Do not create .retry files
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index edc8efa2d3af8a39d1936474bd69d5a73f423abc..8acc7ad3b8215c84fd47b2218a6f2f909c35882e 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -40,8 +40,8 @@ adm_subnet: 10.231.136.0/24
#
# re2o:
# server: re2o.adm.crans.org
-# service_user: "{{ vault_re2o_service_user }}"
-# service_password: "{{ vault_re2o_service_password }}"
+# service_user: "{{ vault.re2o_service_user }}"
+# service_password: "{{ vault.re2o_service_password }}"
#
#
# # global server definitions
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9ba80a0d704e0e25d326883b05ef9c798c6d4daa
--- /dev/null
+++ b/group_vars/all/vault.yml
@@ -0,0 +1 @@
+vault: "{{ lookup('pipe', 'pass show crans/ansible_vault') | from_yaml }}"
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 311e9ac839c06e8e8e38597c7f1f61c9f96bb610..a10d64259a2c41ca6da71b83dc567338bafff893 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -2,7 +2,7 @@
glob_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org"
diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml
index bbdadaaa7c87740736d76716e85bf4c3399dde74..0caa4aec08a892ceed6582441380bfb48307151f 100644
--- a/group_vars/dhcp.yml
+++ b/group_vars/dhcp.yml
@@ -67,7 +67,7 @@ glob_re2o_services:
server: re2o.adm.crans.org
service:
user: services
- password: "{{ vault_re2o_service_password }}"
+ password: "{{ vault.re2o_service_password }}"
mail_server: "{{ glob_smtp }}"
glob_re2o_dhcp:
diff --git a/group_vars/django_cas.yml b/group_vars/django_cas.yml
index 859efff617ac5d91c495a1e01caf8036b4b146d0..ffed7acea02ae2ae5ae483c84d3946058588861d 100644
--- a/group_vars/django_cas.yml
+++ b/group_vars/django_cas.yml
@@ -11,13 +11,13 @@ glob_django_cas:
- auth.adm.crans.org
ldap:
dn: 'cn=Utilisateurs,dc=crans,dc=org'
- password: "{{ vault_cas_ldap_password }}"
+ password: "{{ vault.cas_ldap_password }}"
user: 'cn=cas,ou=service-users,dc=crans,dc=org'
server: 172.16.10.157
db:
host: tealc.adm.crans.org
- password: "{{ vault_cas_database_password }}"
- secret_key: "{{ vault_cas_secret_key }}"
+ password: "{{ vault.cas_database_password }}"
+ secret_key: "{{ vault.cas_secret_key }}"
reverse_proxy:
- '10.231.136.0/24'
- '2a0c:700:0:2::/64'
diff --git a/group_vars/framadate.yml b/group_vars/framadate.yml
index 9802a022b13911d92143c779e2dada545efd6967..8351237b5791fd02c3549374adc78ad97cf32113 100644
--- a/group_vars/framadate.yml
+++ b/group_vars/framadate.yml
@@ -6,6 +6,6 @@ glob_framadate:
repo: https://framagit.org/framasoft/framadate/framadate.git
version: "1.1.11"
admin_username: framadate
- admin_password: "{{ vault_framadate_password }}"
- db_password: "{{ vault_framadate_password_db }}"
+ admin_password: "{{ vault.framadate_password }}"
+ db_password: "{{ vault.framadate_password_db }}"
diff --git a/group_vars/horde.yml b/group_vars/horde.yml
index 1e5ba8909b0cf3c6e6910c24cd07ed4f3d6fc21a..337d2ddd3c7ee4593395428e3a74acfbc1869e2d 100644
--- a/group_vars/horde.yml
+++ b/group_vars/horde.yml
@@ -1,5 +1,5 @@
glob_horde:
- secret: '{{ vault_horde_secret }}'
+ secret: '{{ vault.horde_secret }}'
imap: imap.adm.crans.org
smtp: smtp.adm.crans.org
maildomain: crans.org
diff --git a/group_vars/re2o.yml b/group_vars/re2o.yml
index 63ed9d985eb23894fcdd5d2b08b9fef7da00aa65..c321358522dd39c691d0866a20d64df02cc47b3c 100644
--- a/group_vars/re2o.yml
+++ b/group_vars/re2o.yml
@@ -1,7 +1,7 @@
---
glob_re2o:
- django_secret_key: "{{ vault_re2o_django_secret_key }}"
- aes_key: "{{ vault_re2o_aes_key }}"
+ django_secret_key: "{{ vault.re2o_django_secret_key }}"
+ aes_key: "{{ vault.re2o_aes_key }}"
admins:
- ('Root', 'root@crans.org')
allowed_hosts:
@@ -9,9 +9,9 @@ glob_re2o:
- 'intranet.adm.crans.org'
from_email: "root@crans.org"
ldap:
- master_password: "{{ vault_ldap_master_password }}"
+ master_password: "{{ vault.ldap_master_password }}"
uri: "ldap://re2o-ldap.adm.crans.org/"
dn: "cn=admin,dc=crans,dc=org"
database:
- password: "{{ vault_re2o_db_password }}"
+ password: "{{ vault.re2o_db_password }}"
uri: "tealc.adm.crans.org"
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index 6a5d29592870be83d74a9633f9d59aae5f333077..fca4ddbe79018f6d6badca1e68cc6f4de783d53f 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -1,6 +1,6 @@
certbot:
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/group_vars/roundcube.yml b/group_vars/roundcube.yml
index ebc76ac03dc5a87da5c4c06e3e70d7d1e7b34dc3..9c32c7d035bcc16f1579e38d840e75781e21a255 100644
--- a/group_vars/roundcube.yml
+++ b/group_vars/roundcube.yml
@@ -4,7 +4,7 @@ roundcube_glob:
smtp_server: smtp.adm.crans.org
pgsql_server: pgsql.adm.crans.org
mail_domain: crans.org
- des_key: "{{ vault_roundcube_des_key }}"
+ des_key: "{{ vault.roundcube_des_key }}"
plugins:
- repo: 'https://gitlab.crans.org/nounous/roundcube-intranet.git'
name: intranet
diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml
index 29aa1773266c73baf7812b67566b60c0e6875584..46fd880a1fec3f1828b733969fcf9d722cc21c35 100644
--- a/group_vars/slapd.yml
+++ b/group_vars/slapd.yml
@@ -2,6 +2,6 @@
glob_slapd:
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
- replication_credentials: "{{ vault_ldap_replication_credentials }}"
- private_key: "{{ vault_ldap_private_key }}"
- certificate: "{{ vault_ldap_certificate }}"
+ replication_credentials: "{{ vault.ldap_replication_credentials }}"
+ private_key: "{{ vault.ldap_private_key }}"
+ certificate: "{{ vault.ldap_certificate }}"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index f72209b395eb1d8ebdfdba12df8e4004a615939e..9e0e94ba1ba5f35e9ef9fc7e6b32d7da1ec041e0 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -6,14 +6,14 @@ interfaces:
loc_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
mail: root@crans.org
certname: adm.crans.org
domains: "*.adm.crans.org"
diff --git a/host_vars/hodaur.adm.crans.org.yml b/host_vars/hodaur.adm.crans.org.yml
index 4bc596b8c73190051cc30d92835f48eef197a22a..674f1a2ddee40c8c0ca415f02f99f013ee56a5c4 100644
--- a/host_vars/hodaur.adm.crans.org.yml
+++ b/host_vars/hodaur.adm.crans.org.yml
@@ -6,7 +6,7 @@ interfaces:
loc_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/host_vars/owncloud.adm.crans.org.yml b/host_vars/owncloud.adm.crans.org.yml
index d8091980ce454f32575c2c09c47e75de648d193d..408b5258bbbeb888d40b03fd565805088b447dbd 100644
--- a/host_vars/owncloud.adm.crans.org.yml
+++ b/host_vars/owncloud.adm.crans.org.yml
@@ -6,6 +6,6 @@ interfaces:
loc_ldap:
base_dn: "cn=admin,dc=crans,dc=org"
- password: "{{ vault_ldap_master_password }}"
+ password: "{{ vault.ldap_master_password }}"
uri: "ldap://172.16.10.157"
diff --git a/host_vars/zamok.adm.crans.org.yml b/host_vars/zamok.adm.crans.org.yml
index bf60fd812bd4dee43b38d9b2c7b71293c520a6b1..fe68a7495e2c66f2314cd269d037bbe03225696c 100644
--- a/host_vars/zamok.adm.crans.org.yml
+++ b/host_vars/zamok.adm.crans.org.yml
@@ -6,4 +6,4 @@ loc_borg:
- type: mysql_databases
params:
- "- name: all"
- - " password: {{ vault_mysql_zamok_password }}"
+ - " password: {{ vault.mysql_zamok_password }}"
diff --git a/plays/dns.yml b/plays/dns.yml
index 4e61330fbcfc8e2174ab732e058e89602b78189f..c246215945d588456459c665345be555d53f5461 100755
--- a/plays/dns.yml
+++ b/plays/dns.yml
@@ -8,8 +8,8 @@
# Deploy authoritative DNS server
- hosts: dns_authoritative
vars:
- certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
- certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
+ certbot_dns_secret: "{{ vault.certbot_dns_secret }}"
+ certbot_adm_dns_secret: "{{ vault.certbot_adm_dns_secret }}"
bind:
masters: "{{ query('ldap', 'role', 'dns-primary') }}"
slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
@@ -22,7 +22,7 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
roles:
- dns
diff --git a/plays/firewall.yml b/plays/firewall.yml
index 0c24699c0453e17d83257e6290e70319784a1454..4382f9d7a90fff2b7d11f4fe7cbcff0fd4b07908 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -33,8 +33,8 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
roles:
- firewall
diff --git a/plays/generate_documentation.yml b/plays/generate_documentation.yml
index ce7a3859f97331ae8ae475f5bbe6be24d3d3f3c9..6119419e34374969139ac0ea6609b7d6dab449c9 100755
--- a/plays/generate_documentation.yml
+++ b/plays/generate_documentation.yml
@@ -3,8 +3,8 @@
# Document servers
- hosts: server
vars:
- moinmoin_user: "{{ vault_moinmoin_user }}"
- moinmoin_password: "{{ vault_moinmoin_password }}"
+ moinmoin_user: "{{ vault.moinmoin_user }}"
+ moinmoin_password: "{{ vault.moinmoin_password }}"
moinmoin_base_url: https://wiki.crans.org/CransTechnique/LesServeurs
roles:
- moinmoin-gendoc
diff --git a/plays/home.yml b/plays/home.yml
index aa47fa4c9b58861a07e10d009c570dfdf82e93ae..4104c91e05b336449e64354c447f67dda01f5e15 100755
--- a/plays/home.yml
+++ b/plays/home.yml
@@ -4,7 +4,7 @@
vars:
home:
ldap_server: ldap://re2o-ldap.adm.crans.org
- ldap_password: "{{ vault_ldap_home_password }}"
+ ldap_password: "{{ vault.ldap_home_password }}"
binddn: cn=home,ou=service-users,dc=crans,dc=org
rootdn: cn=Utilisateurs,dc=crans,dc=org
roles:
diff --git a/plays/mailman.yml b/plays/mailman.yml
index dfaf888bace6115d501f3c6d2fb9a717ef17aa46..6a84058baaa48fb0f27dd1c613ac9f1bc165172b 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -31,11 +31,11 @@
vars:
mailman3:
site_owner: root@crans.org
- database_pass: "{{ vault_mailman3_database_pass }}"
- restadmin_pass: "{{ vault_mailman3_restadmin_pass }}"
- archiver_key: "{{ vault_mailman3_archiver_key }}"
- web_secret_key: "{{ vault_mailman3_web_secret_key }}"
- web_database_pass: "{{ vault_mailman3_web_database_pass }}"
+ database_pass: "{{ vault.mailman3_database_pass }}"
+ restadmin_pass: "{{ vault.mailman3_restadmin_pass }}"
+ archiver_key: "{{ vault.mailman3_archiver_key }}"
+ web_secret_key: "{{ vault.mailman3_web_secret_key }}"
+ web_database_pass: "{{ vault.mailman3_web_database_pass }}"
web_domain: "mailman.crans.org"
roles:
- mailman3
diff --git a/plays/monitoring.yml b/plays/monitoring.yml
index a046fb6bfbddfefe860dc11e28a1a01c25cbc265..0685ef519f5b01a24e4111eee563518f17fb21be 100755
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@@ -42,8 +42,8 @@
bird_targets:
- routeur-sam.adm.crans.org
- snmp_procurve_password: "{{ vault_snmp_procurve_password }}"
- snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+ snmp_procurve_password: "{{ vault.snmp_procurve_password }}"
+ snmp_unifi_password: "{{ vault.snmp_unifi_password }}"
grafana:
root_url: https://grafana.crans.org
diff --git a/plays/postfix.yml b/plays/postfix.yml
index 37195fa6cd3f8e9cdb69ceb2ad8f4f37656d6c66..0a76001c202ec82bf8de5aeaa5266a34f2adc73e 100755
--- a/plays/postfix.yml
+++ b/plays/postfix.yml
@@ -6,14 +6,14 @@
certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
opendkim:
- private_key: "{{ vault_opendkim_private_key }}"
+ private_key: "{{ vault.opendkim_private_key }}"
policyd:
mail: root@crans.org
exemptions: "{{ lookup('re2oapi', 'get_role', 'user-server')[0] }}"
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index e1875021b41433b1e69cfeb15e2ec18c71e5bd57..8d530d6c278b60a858d8e6b92e7cb7768eadd509 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -6,8 +6,8 @@
debian_mirror: http://mirror.crans.org/debian
wireguard:
sputnik: true
- private_key: "{{ vault_wireguard_sputnik_private_key }}"
- peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
+ private_key: "{{ vault.wireguard_sputnik_private_key }}"
+ peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
roles:
- wireguard
@@ -18,7 +18,7 @@
wireguard:
sputnik: false
if: ens18
- private_key: "{{ vault_wireguard_boeing_private_key }}"
- peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
+ private_key: "{{ vault.wireguard_boeing_private_key }}"
+ peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
roles:
- wireguard
diff --git a/re2o.yml b/re2o.yml
index 20952aba29635add9a4d779e2721becb01a15cd1..2975793229317c724ce7990559cfa22cca9415dc 100755
--- a/re2o.yml
+++ b/re2o.yml
@@ -7,8 +7,8 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
mail_server: smtp.adm.crans.org
roles:
- re2o-services
diff --git a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2 b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
index a1d5b0ae793a1f9c1d29b1ca19aec7083256bfd3..3bb4587e9f8f5e9613f918bf13b7643947d524c4 100644
--- a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
+++ b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
@@ -27,7 +27,7 @@ location:
borgmatic_source_directory: /tmp/borgmatic
storage:
- encryption_passphrase: {{ vault_borgbackup_passwd }}
+ encryption_passphrase: {{ vault.borgbackup_passwd }}
ssh_command: ssh -i /etc/borgmatic/id_ed25519_borg
borg_base_directory: /etc/borgmatic
borg_config_directory: /etc/borgmatic/config/
diff --git a/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2 b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
index 1ef022e0994c22897203d5f3025f486fbf70edd8..2ebd6f805bb01883587b2acfb4446207eb952155 100644
--- a/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
+++ b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
@@ -1 +1 @@
-{{ vault_borgbackup_ssh_privkey }}
+{{ vault.borgbackup_ssh_privkey }}
diff --git a/roles/borgbackup-server/templates/authorized_keys.j2 b/roles/borgbackup-server/templates/authorized_keys.j2
index 9c3ff0ca0009e9ff6a40660d7e0cd5a065a7e060..184dde9bc9cda0db5a9ac551a630eac28584c2e9 100644
--- a/roles/borgbackup-server/templates/authorized_keys.j2
+++ b/roles/borgbackup-server/templates/authorized_keys.j2
@@ -1,3 +1,3 @@
{{ ansible_header | comment }}
-command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault_borgbackup_ssh_pubkey }}
+command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault.borgbackup_ssh_pubkey }}
diff --git a/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
index 0165a10a8d42459163771d8071deb30af117ed52..82d27df0f5661a6b8c7ac3c4a7f0f85f129533dc 100644
--- a/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -25,7 +25,7 @@ uris = {{ ldap.uri }}
dn = {{ dovecot.ldap_dn }}
# Password for LDAP server, if dn is specified.
-dnpass = {{ vault_dovecot_dnpass }}
+dnpass = {{ vault.dovecot_dnpass }}
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
diff --git a/vars_plugins/vault_cranspasswords.ini b/vars_plugins/vault_cranspasswords.ini
deleted file mode 100644
index d0fd8b7fc8bb528ff1e310c79e77d6fb170c0360..0000000000000000000000000000000000000000
--- a/vars_plugins/vault_cranspasswords.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-# Ansible Vault CransPasswords settings
-#
-
-[cranspasswords]
-#: Commande exécutée sur le client pour appeler le script sur le serveur distant.
-server_cmd=/usr/bin/env ssh tealc.adm.crans.org sudo -n /usr/local/bin/cpasswords-server
diff --git a/vars_plugins/vault_cranspasswords.py b/vars_plugins/vault_cranspasswords.py
deleted file mode 100755
index 9f5c6ddb887f1a497b09f1d7cbe24a93be175a1f..0000000000000000000000000000000000000000
--- a/vars_plugins/vault_cranspasswords.py
+++ /dev/null
@@ -1,139 +0,0 @@
-#!/usr/bin/env python
-
-# (c) 2019 Cr@ns <roots@crans.org>
-# Authors : Alexandre IOOSS <erdnaxe@crans.org>
-# Based on cranspasswords by : Daniel Stan <daniel.stan@crans.org>
-# Vincent Le Gallic <legallic@crans.org>
-#
-# This file is part of Cr@ns ansible deployment
-
-"""
-Ansible Vault CransPasswords script.
-========================================
-
-Returns Ansible variables gpg encrypted and stored within cranspasswords.
-See https://gitlab.crans.org/nounous/cranspasswords
-
-Configuration is read from `vault_cranspasswords.ini`.
-"""
-
-import json
-import os
-import subprocess
-import sys
-
-from ansible.errors import AnsibleError, AnsibleParserError
-from ansible.module_utils._text import to_native
-from ansible.module_utils.six.moves import configparser
-from ansible.plugins.vars import BaseVarsPlugin
-
-DOCUMENTATION = '''
- module: vault_cranspasswords
- vars: vault_cranspasswords
- version_added: "2.7"
- short_description: In charge of loading variables stored within cranspasswords
- description:
- - Works exactly as a vault, loading variables from cranspasswords.
- - Decrypts the YAML file `ansible_vault` from cranspasswords.
- - Loads the secret variables.
- - Makes use of data caching in order to avoid calling cranspasswords multiple times.
- - Uses the local gpg key from the user running ansible on the Control node.
- options: {}
-'''
-
-
-class VarsModule(BaseVarsPlugin):
- @staticmethod
- def gpg_decrypt(crypt_text):
- """
- Decrypt the text in argument using gpg.
- """
- full_command = ['gpg', '-d']
- proc = subprocess.Popen(full_command,
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=sys.stderr,
- close_fds=True)
- proc.stdin.write(crypt_text.encode())
- proc.stdin.close()
- clear_text = proc.stdout.read().decode()
- return clear_text
-
- def getfile_command(self, filename):
- """
- Run the command on the remote cranspasswords server, and return the output.
- """
- # Get full command from settings file
- try:
- command = self.config.get('cranspasswords', 'server_cmd').split(" ")
- except configparser.NoSectionError as e:
- raise AnsibleParserError(to_native(e))
- command.append("getfiles")
- proc = subprocess.Popen(
- command,
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=sys.stderr,
- close_fds=True
- )
- proc.stdin.write(json.dumps([filename]).encode())
- proc.stdin.flush()
-
- raw_out, raw_err = proc.communicate()
- ret = proc.returncode
-
- if ret != 0:
- raise AnsibleError("Bad return code on the serveur side")
- try:
- answer = json.loads(raw_out.strip())
- return answer[0]
- except ValueError:
- raise AnsibleError("Unable to parse the result")
-
- def get_encrypted(self, filename):
- """
- Get encrypted content of a cranspasswords file
- """
- gotit, value = self.getfile_command(filename) # if not gotit, value contains the error message
- if not gotit:
- raise AnsibleError("Unable to get the file : {}".format(to_native(value)))
- else:
- crypt_text = value['contents']
- return crypt_text
-
- def __init__(self):
- super().__init__()
-
- # Load config
- self.config = configparser.ConfigParser()
- self.config.read(os.path.dirname(os.path.realpath(__file__))
- + '/vault_cranspasswords.ini')
-
- def get_vars(self, loader, path, entities):
- """
- Get all vars for entities, called by Ansible.
-
- loader: Ansible's DataLoader.
- path: Current play's playbook directory.
- entities: Host or group names pertinent to the variables needed.
- """
- # VarsModule objects are called every time you need host vars, per host,
- # and per group the host is part of.
- # It is about 6 times per host per task in current state
- # of Ansible Crans configuration.
-
- # It is way to much.
- # So we cache the data into the DataLoader (see parsing/DataLoader).
-
- super().get_vars(loader, path, entities)
-
- if 'cranspasswords' not in loader._FILE_CACHE:
- # Get text then decrypt and return
- crypt_text = self.get_encrypted('ansible_vault')
- clear_text = self.gpg_decrypt(crypt_text)
- data = loader.load(clear_text)
- loader._FILE_CACHE['cranspasswords'] = data
- else:
- data = loader._FILE_CACHE['cranspasswords']
-
- return data