Implements new mechanism for gpg vault

The vault may now be split in multiple files under `ansible/{name}.gpg` and all
variables inside it will be loaded under `vault.name`.

vars_plugins/pass.py

@@ -6,6 +6,7 @@ import os
 from pathlib import Path
 import subprocess
 import sys
+import json
 
 from ansible.module_utils.six.moves import configparser
 from ansible.plugins.vars import BaseVarsPlugin
@@ -88,11 +89,32 @@ class VarsModule(BaseVarsPlugin):
 
         passwords = {}
 
+        config = configparser.ConfigParser()
+        config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
+
+        password_store = Path(config.get('pass', 'password_store_dir',
+            fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
+
+        password_store /= config.get('pass', 'crans_password_store_submodule',
+            fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
+
+        password_store /= '.last_group.json'
+
+        with open(password_store) as file:
+            files = json.load(file)
+
+        files = [ file for file in files if file.startswith('ansible/') ]
+
         for entity in entities:
             # Load vault passwords
             if entity.get_name() == 'all':
+                passwords['vault'] = {}
+                # Backward compatibility with old ansible_vault
                 passwords['vault'] = loader.load(
                         VarsModule.decrypt_password('ansible_vault', True))
+                for file in files:
+                    passwords['vault'][file.lstrip('ansible/')] = loader.load(
+                            VarsModule.decrypt_password(file, True))
 
             # Load become password
             become_password = VarsModule.become_password(entity)