From 59bc91dc9dd056238030f40372d0a69fa2c63aa5 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Mon, 22 Feb 2021 11:28:49 +0100
Subject: [PATCH] [vault] Changing cranspasswords to pass crans
---
.gitignore | 1 +
ansible.cfg | 1 -
group_vars/all/vars.yaml | 4 +-
group_vars/all/vault.yml | 1 +
group_vars/certbot.yml | 2 +-
group_vars/dhcp.yml | 2 +-
group_vars/django_cas.yml | 6 +-
group_vars/framadate.yml | 4 +-
group_vars/horde.yml | 2 +-
group_vars/re2o.yml | 8 +-
group_vars/reverseproxy.yml | 2 +-
group_vars/roundcube.yml | 2 +-
group_vars/slapd.yml | 6 +-
host_vars/gitzly.adm.crans.org.yml | 4 +-
host_vars/hodaur.adm.crans.org.yml | 2 +-
host_vars/owncloud.adm.crans.org.yml | 2 +-
host_vars/zamok.adm.crans.org.yml | 2 +-
plays/dns.yml | 8 +-
plays/firewall.yml | 4 +-
plays/generate_documentation.yml | 4 +-
plays/home.yml | 2 +-
plays/mailman.yml | 10 +-
plays/monitoring.yml | 4 +-
plays/postfix.yml | 4 +-
plays/wireguard.yml | 8 +-
re2o.yml | 4 +-
.../templates/borgmatic/config.yaml.j2 | 2 +-
.../templates/borgmatic/id_ed25519_borg.j2 | 2 +-
.../templates/authorized_keys.j2 | 2 +-
.../dovecot/dovecot-ldap.conf.ext.j2 | 2 +-
vars_plugins/vault_cranspasswords.ini | 6 -
vars_plugins/vault_cranspasswords.py | 139 ------------------
32 files changed, 54 insertions(+), 198 deletions(-)
create mode 100644 group_vars/all/vault.yml
delete mode 100644 vars_plugins/vault_cranspasswords.ini
delete mode 100755 vars_plugins/vault_cranspasswords.py
diff --git a/.gitignore b/.gitignore
index 8e12a020..11f11772 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ __pycache__
env/
# ignore dummy_playbook
debug.yml
+group_vars/all/vault.yml
diff --git a/ansible.cfg b/ansible.cfg
index 32a6f327..720ce959 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,7 +5,6 @@
# Explicitely redefined some defaults to make play execution work
roles_path = ./roles
action_plugins = ./action_plugins
-vars_plugins = ./vars_plugins
lookup_plugins = ./lookup_plugins
# Do not create .retry files
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index edc8efa2..8acc7ad3 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -40,8 +40,8 @@ adm_subnet: 10.231.136.0/24
#
# re2o:
# server: re2o.adm.crans.org
-# service_user: "{{ vault_re2o_service_user }}"
-# service_password: "{{ vault_re2o_service_password }}"
+# service_user: "{{ vault.re2o_service_user }}"
+# service_password: "{{ vault.re2o_service_password }}"
#
#
# # global server definitions
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
new file mode 100644
index 00000000..9ba80a0d
--- /dev/null
+++ b/group_vars/all/vault.yml
@@ -0,0 +1 @@
+vault: "{{ lookup('pipe', 'pass show crans/ansible_vault') | from_yaml }}"
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 311e9ac8..a10d6425 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -2,7 +2,7 @@
glob_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org"
diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml
index bbdadaaa..0caa4aec 100644
--- a/group_vars/dhcp.yml
+++ b/group_vars/dhcp.yml
@@ -67,7 +67,7 @@ glob_re2o_services:
server: re2o.adm.crans.org
service:
user: services
- password: "{{ vault_re2o_service_password }}"
+ password: "{{ vault.re2o_service_password }}"
mail_server: "{{ glob_smtp }}"
glob_re2o_dhcp:
diff --git a/group_vars/django_cas.yml b/group_vars/django_cas.yml
index 859efff6..ffed7ace 100644
--- a/group_vars/django_cas.yml
+++ b/group_vars/django_cas.yml
@@ -11,13 +11,13 @@ glob_django_cas:
- auth.adm.crans.org
ldap:
dn: 'cn=Utilisateurs,dc=crans,dc=org'
- password: "{{ vault_cas_ldap_password }}"
+ password: "{{ vault.cas_ldap_password }}"
user: 'cn=cas,ou=service-users,dc=crans,dc=org'
server: 172.16.10.157
db:
host: tealc.adm.crans.org
- password: "{{ vault_cas_database_password }}"
- secret_key: "{{ vault_cas_secret_key }}"
+ password: "{{ vault.cas_database_password }}"
+ secret_key: "{{ vault.cas_secret_key }}"
reverse_proxy:
- '10.231.136.0/24'
- '2a0c:700:0:2::/64'
diff --git a/group_vars/framadate.yml b/group_vars/framadate.yml
index 9802a022..8351237b 100644
--- a/group_vars/framadate.yml
+++ b/group_vars/framadate.yml
@@ -6,6 +6,6 @@ glob_framadate:
repo: https://framagit.org/framasoft/framadate/framadate.git
version: "1.1.11"
admin_username: framadate
- admin_password: "{{ vault_framadate_password }}"
- db_password: "{{ vault_framadate_password_db }}"
+ admin_password: "{{ vault.framadate_password }}"
+ db_password: "{{ vault.framadate_password_db }}"
diff --git a/group_vars/horde.yml b/group_vars/horde.yml
index 1e5ba890..337d2ddd 100644
--- a/group_vars/horde.yml
+++ b/group_vars/horde.yml
@@ -1,5 +1,5 @@
glob_horde:
- secret: '{{ vault_horde_secret }}'
+ secret: '{{ vault.horde_secret }}'
imap: imap.adm.crans.org
smtp: smtp.adm.crans.org
maildomain: crans.org
diff --git a/group_vars/re2o.yml b/group_vars/re2o.yml
index 63ed9d98..c3213585 100644
--- a/group_vars/re2o.yml
+++ b/group_vars/re2o.yml
@@ -1,7 +1,7 @@
---
glob_re2o:
- django_secret_key: "{{ vault_re2o_django_secret_key }}"
- aes_key: "{{ vault_re2o_aes_key }}"
+ django_secret_key: "{{ vault.re2o_django_secret_key }}"
+ aes_key: "{{ vault.re2o_aes_key }}"
admins:
- ('Root', 'root@crans.org')
allowed_hosts:
@@ -9,9 +9,9 @@ glob_re2o:
- 'intranet.adm.crans.org'
from_email: "root@crans.org"
ldap:
- master_password: "{{ vault_ldap_master_password }}"
+ master_password: "{{ vault.ldap_master_password }}"
uri: "ldap://re2o-ldap.adm.crans.org/"
dn: "cn=admin,dc=crans,dc=org"
database:
- password: "{{ vault_re2o_db_password }}"
+ password: "{{ vault.re2o_db_password }}"
uri: "tealc.adm.crans.org"
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index 6a5d2959..fca4ddbe 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -1,6 +1,6 @@
certbot:
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/group_vars/roundcube.yml b/group_vars/roundcube.yml
index ebc76ac0..9c32c7d0 100644
--- a/group_vars/roundcube.yml
+++ b/group_vars/roundcube.yml
@@ -4,7 +4,7 @@ roundcube_glob:
smtp_server: smtp.adm.crans.org
pgsql_server: pgsql.adm.crans.org
mail_domain: crans.org
- des_key: "{{ vault_roundcube_des_key }}"
+ des_key: "{{ vault.roundcube_des_key }}"
plugins:
- repo: 'https://gitlab.crans.org/nounous/roundcube-intranet.git'
name: intranet
diff --git a/group_vars/slapd.yml b/group_vars/slapd.yml
index 29aa1773..46fd880a 100644
--- a/group_vars/slapd.yml
+++ b/group_vars/slapd.yml
@@ -2,6 +2,6 @@
glob_slapd:
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
- replication_credentials: "{{ vault_ldap_replication_credentials }}"
- private_key: "{{ vault_ldap_private_key }}"
- certificate: "{{ vault_ldap_certificate }}"
+ replication_credentials: "{{ vault.ldap_replication_credentials }}"
+ private_key: "{{ vault.ldap_private_key }}"
+ certificate: "{{ vault.ldap_certificate }}"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index f72209b3..9e0e94ba 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -6,14 +6,14 @@ interfaces:
loc_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
mail: root@crans.org
certname: adm.crans.org
domains: "*.adm.crans.org"
diff --git a/host_vars/hodaur.adm.crans.org.yml b/host_vars/hodaur.adm.crans.org.yml
index 4bc596b8..674f1a2d 100644
--- a/host_vars/hodaur.adm.crans.org.yml
+++ b/host_vars/hodaur.adm.crans.org.yml
@@ -6,7 +6,7 @@ interfaces:
loc_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/host_vars/owncloud.adm.crans.org.yml b/host_vars/owncloud.adm.crans.org.yml
index d8091980..408b5258 100644
--- a/host_vars/owncloud.adm.crans.org.yml
+++ b/host_vars/owncloud.adm.crans.org.yml
@@ -6,6 +6,6 @@ interfaces:
loc_ldap:
base_dn: "cn=admin,dc=crans,dc=org"
- password: "{{ vault_ldap_master_password }}"
+ password: "{{ vault.ldap_master_password }}"
uri: "ldap://172.16.10.157"
diff --git a/host_vars/zamok.adm.crans.org.yml b/host_vars/zamok.adm.crans.org.yml
index bf60fd81..fe68a749 100644
--- a/host_vars/zamok.adm.crans.org.yml
+++ b/host_vars/zamok.adm.crans.org.yml
@@ -6,4 +6,4 @@ loc_borg:
- type: mysql_databases
params:
- "- name: all"
- - " password: {{ vault_mysql_zamok_password }}"
+ - " password: {{ vault.mysql_zamok_password }}"
diff --git a/plays/dns.yml b/plays/dns.yml
index 4e61330f..c2462159 100755
--- a/plays/dns.yml
+++ b/plays/dns.yml
@@ -8,8 +8,8 @@
# Deploy authoritative DNS server
- hosts: dns_authoritative
vars:
- certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
- certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
+ certbot_dns_secret: "{{ vault.certbot_dns_secret }}"
+ certbot_adm_dns_secret: "{{ vault.certbot_adm_dns_secret }}"
bind:
masters: "{{ query('ldap', 'role', 'dns-primary') }}"
slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
@@ -22,7 +22,7 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
roles:
- dns
diff --git a/plays/firewall.yml b/plays/firewall.yml
index 0c24699c..4382f9d7 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -33,8 +33,8 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
roles:
- firewall
diff --git a/plays/generate_documentation.yml b/plays/generate_documentation.yml
index ce7a3859..6119419e 100755
--- a/plays/generate_documentation.yml
+++ b/plays/generate_documentation.yml
@@ -3,8 +3,8 @@
# Document servers
- hosts: server
vars:
- moinmoin_user: "{{ vault_moinmoin_user }}"
- moinmoin_password: "{{ vault_moinmoin_password }}"
+ moinmoin_user: "{{ vault.moinmoin_user }}"
+ moinmoin_password: "{{ vault.moinmoin_password }}"
moinmoin_base_url: https://wiki.crans.org/CransTechnique/LesServeurs
roles:
- moinmoin-gendoc
diff --git a/plays/home.yml b/plays/home.yml
index aa47fa4c..4104c91e 100755
--- a/plays/home.yml
+++ b/plays/home.yml
@@ -4,7 +4,7 @@
vars:
home:
ldap_server: ldap://re2o-ldap.adm.crans.org
- ldap_password: "{{ vault_ldap_home_password }}"
+ ldap_password: "{{ vault.ldap_home_password }}"
binddn: cn=home,ou=service-users,dc=crans,dc=org
rootdn: cn=Utilisateurs,dc=crans,dc=org
roles:
diff --git a/plays/mailman.yml b/plays/mailman.yml
index dfaf888b..6a84058b 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -31,11 +31,11 @@
vars:
mailman3:
site_owner: root@crans.org
- database_pass: "{{ vault_mailman3_database_pass }}"
- restadmin_pass: "{{ vault_mailman3_restadmin_pass }}"
- archiver_key: "{{ vault_mailman3_archiver_key }}"
- web_secret_key: "{{ vault_mailman3_web_secret_key }}"
- web_database_pass: "{{ vault_mailman3_web_database_pass }}"
+ database_pass: "{{ vault.mailman3_database_pass }}"
+ restadmin_pass: "{{ vault.mailman3_restadmin_pass }}"
+ archiver_key: "{{ vault.mailman3_archiver_key }}"
+ web_secret_key: "{{ vault.mailman3_web_secret_key }}"
+ web_database_pass: "{{ vault.mailman3_web_database_pass }}"
web_domain: "mailman.crans.org"
roles:
- mailman3
diff --git a/plays/monitoring.yml b/plays/monitoring.yml
index a046fb6b..0685ef51 100755
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@@ -42,8 +42,8 @@
bird_targets:
- routeur-sam.adm.crans.org
- snmp_procurve_password: "{{ vault_snmp_procurve_password }}"
- snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+ snmp_procurve_password: "{{ vault.snmp_procurve_password }}"
+ snmp_unifi_password: "{{ vault.snmp_unifi_password }}"
grafana:
root_url: https://grafana.crans.org
diff --git a/plays/postfix.yml b/plays/postfix.yml
index 37195fa6..0a76001c 100755
--- a/plays/postfix.yml
+++ b/plays/postfix.yml
@@ -6,14 +6,14 @@
certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
opendkim:
- private_key: "{{ vault_opendkim_private_key }}"
+ private_key: "{{ vault.opendkim_private_key }}"
policyd:
mail: root@crans.org
exemptions: "{{ lookup('re2oapi', 'get_role', 'user-server')[0] }}"
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index e1875021..8d530d6c 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -6,8 +6,8 @@
debian_mirror: http://mirror.crans.org/debian
wireguard:
sputnik: true
- private_key: "{{ vault_wireguard_sputnik_private_key }}"
- peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
+ private_key: "{{ vault.wireguard_sputnik_private_key }}"
+ peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
roles:
- wireguard
@@ -18,7 +18,7 @@
wireguard:
sputnik: false
if: ens18
- private_key: "{{ vault_wireguard_boeing_private_key }}"
- peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
+ private_key: "{{ vault.wireguard_boeing_private_key }}"
+ peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
roles:
- wireguard
diff --git a/re2o.yml b/re2o.yml
index 20952aba..29757932 100755
--- a/re2o.yml
+++ b/re2o.yml
@@ -7,8 +7,8 @@
vars:
re2o:
server: re2o.adm.crans.org
- service_user: "{{ vault_re2o_service_user }}"
- service_password: "{{ vault_re2o_service_password }}"
+ service_user: "{{ vault.re2o_service_user }}"
+ service_password: "{{ vault.re2o_service_password }}"
mail_server: smtp.adm.crans.org
roles:
- re2o-services
diff --git a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2 b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
index a1d5b0ae..3bb4587e 100644
--- a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
+++ b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
@@ -27,7 +27,7 @@ location:
borgmatic_source_directory: /tmp/borgmatic
storage:
- encryption_passphrase: {{ vault_borgbackup_passwd }}
+ encryption_passphrase: {{ vault.borgbackup_passwd }}
ssh_command: ssh -i /etc/borgmatic/id_ed25519_borg
borg_base_directory: /etc/borgmatic
borg_config_directory: /etc/borgmatic/config/
diff --git a/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2 b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
index 1ef022e0..2ebd6f80 100644
--- a/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
+++ b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
@@ -1 +1 @@
-{{ vault_borgbackup_ssh_privkey }}
+{{ vault.borgbackup_ssh_privkey }}
diff --git a/roles/borgbackup-server/templates/authorized_keys.j2 b/roles/borgbackup-server/templates/authorized_keys.j2
index 9c3ff0ca..184dde9b 100644
--- a/roles/borgbackup-server/templates/authorized_keys.j2
+++ b/roles/borgbackup-server/templates/authorized_keys.j2
@@ -1,3 +1,3 @@
{{ ansible_header | comment }}
-command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault_borgbackup_ssh_pubkey }}
+command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault.borgbackup_ssh_pubkey }}
diff --git a/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
index 0165a10a..82d27df0 100644
--- a/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -25,7 +25,7 @@ uris = {{ ldap.uri }}
dn = {{ dovecot.ldap_dn }}
# Password for LDAP server, if dn is specified.
-dnpass = {{ vault_dovecot_dnpass }}
+dnpass = {{ vault.dovecot_dnpass }}
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
diff --git a/vars_plugins/vault_cranspasswords.ini b/vars_plugins/vault_cranspasswords.ini
deleted file mode 100644
index d0fd8b7f..00000000
--- a/vars_plugins/vault_cranspasswords.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-# Ansible Vault CransPasswords settings
-#
-
-[cranspasswords]
-#: Commande exécutée sur le client pour appeler le script sur le serveur distant.
-server_cmd=/usr/bin/env ssh tealc.adm.crans.org sudo -n /usr/local/bin/cpasswords-server
diff --git a/vars_plugins/vault_cranspasswords.py b/vars_plugins/vault_cranspasswords.py
deleted file mode 100755
index 9f5c6ddb..00000000
--- a/vars_plugins/vault_cranspasswords.py
+++ /dev/null
@@ -1,139 +0,0 @@
-#!/usr/bin/env python
-
-# (c) 2019 Cr@ns <roots@crans.org>
-# Authors : Alexandre IOOSS <erdnaxe@crans.org>
-# Based on cranspasswords by : Daniel Stan <daniel.stan@crans.org>
-# Vincent Le Gallic <legallic@crans.org>
-#
-# This file is part of Cr@ns ansible deployment
-
-"""
-Ansible Vault CransPasswords script.
-========================================
-
-Returns Ansible variables gpg encrypted and stored within cranspasswords.
-See https://gitlab.crans.org/nounous/cranspasswords
-
-Configuration is read from `vault_cranspasswords.ini`.
-"""
-
-import json
-import os
-import subprocess
-import sys
-
-from ansible.errors import AnsibleError, AnsibleParserError
-from ansible.module_utils._text import to_native
-from ansible.module_utils.six.moves import configparser
-from ansible.plugins.vars import BaseVarsPlugin
-
-DOCUMENTATION = '''
- module: vault_cranspasswords
- vars: vault_cranspasswords
- version_added: "2.7"
- short_description: In charge of loading variables stored within cranspasswords
- description:
- - Works exactly as a vault, loading variables from cranspasswords.
- - Decrypts the YAML file `ansible_vault` from cranspasswords.
- - Loads the secret variables.
- - Makes use of data caching in order to avoid calling cranspasswords multiple times.
- - Uses the local gpg key from the user running ansible on the Control node.
- options: {}
-'''
-
-
-class VarsModule(BaseVarsPlugin):
- @staticmethod
- def gpg_decrypt(crypt_text):
- """
- Decrypt the text in argument using gpg.
- """
- full_command = ['gpg', '-d']
- proc = subprocess.Popen(full_command,
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=sys.stderr,
- close_fds=True)
- proc.stdin.write(crypt_text.encode())
- proc.stdin.close()
- clear_text = proc.stdout.read().decode()
- return clear_text
-
- def getfile_command(self, filename):
- """
- Run the command on the remote cranspasswords server, and return the output.
- """
- # Get full command from settings file
- try:
- command = self.config.get('cranspasswords', 'server_cmd').split(" ")
- except configparser.NoSectionError as e:
- raise AnsibleParserError(to_native(e))
- command.append("getfiles")
- proc = subprocess.Popen(
- command,
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=sys.stderr,
- close_fds=True
- )
- proc.stdin.write(json.dumps([filename]).encode())
- proc.stdin.flush()
-
- raw_out, raw_err = proc.communicate()
- ret = proc.returncode
-
- if ret != 0:
- raise AnsibleError("Bad return code on the serveur side")
- try:
- answer = json.loads(raw_out.strip())
- return answer[0]
- except ValueError:
- raise AnsibleError("Unable to parse the result")
-
- def get_encrypted(self, filename):
- """
- Get encrypted content of a cranspasswords file
- """
- gotit, value = self.getfile_command(filename) # if not gotit, value contains the error message
- if not gotit:
- raise AnsibleError("Unable to get the file : {}".format(to_native(value)))
- else:
- crypt_text = value['contents']
- return crypt_text
-
- def __init__(self):
- super().__init__()
-
- # Load config
- self.config = configparser.ConfigParser()
- self.config.read(os.path.dirname(os.path.realpath(__file__))
- + '/vault_cranspasswords.ini')
-
- def get_vars(self, loader, path, entities):
- """
- Get all vars for entities, called by Ansible.
-
- loader: Ansible's DataLoader.
- path: Current play's playbook directory.
- entities: Host or group names pertinent to the variables needed.
- """
- # VarsModule objects are called every time you need host vars, per host,
- # and per group the host is part of.
- # It is about 6 times per host per task in current state
- # of Ansible Crans configuration.
-
- # It is way to much.
- # So we cache the data into the DataLoader (see parsing/DataLoader).
-
- super().get_vars(loader, path, entities)
-
- if 'cranspasswords' not in loader._FILE_CACHE:
- # Get text then decrypt and return
- crypt_text = self.get_encrypted('ansible_vault')
- clear_text = self.gpg_decrypt(crypt_text)
- data = loader.load(clear_text)
- loader._FILE_CACHE['cranspasswords'] = data
- else:
- data = loader._FILE_CACHE['cranspasswords']
-
- return data
--
GitLab