From 000f6259888bc1037157225a8ff9a099eaf78e93 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Mon, 8 Apr 2024 15:06:18 +0200
Subject: [PATCH] Move VM secrets to a separate password store directory

---
 roles/certbot_dns/tasks/main.yml                 |  4 ++--
 roles/certbot_dns/templates/certbot-auth.j2      |  2 +-
 roles/certbot_dns/templates/certbot-cleanup.j2   |  2 +-
 roles/firewall_master/tasks/web.yml              |  2 +-
 roles/firewall_master/templates/settings.json.j2 | 10 +++++-----
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/roles/certbot_dns/tasks/main.yml b/roles/certbot_dns/tasks/main.yml
index 4604dbc..f60cb12 100644
--- a/roles/certbot_dns/tasks/main.yml
+++ b/roles/certbot_dns/tasks/main.yml
@@ -28,8 +28,8 @@
     command: ktutil
     responses:
       '.*:':
-        - 'add_entry -password -p {{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96'
-        - '{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_pass") }}'
+        - 'add_entry -password -p {{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96'
+        - '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}'
         - 'write_kt /etc/krb5.keytab'
         - 'exit'
   args:
diff --git a/roles/certbot_dns/templates/certbot-auth.j2 b/roles/certbot_dns/templates/certbot-auth.j2
index 445a361..f0905e8 100644
--- a/roles/certbot_dns/templates/certbot-auth.j2
+++ b/roles/certbot_dns/templates/certbot-auth.j2
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 dns={{ dns[0] }}
-ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }}
+ldap_user={{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}
 ttl=10
 
 kinit -k -t /etc/krb5.keytab "${ldap_user}"
diff --git a/roles/certbot_dns/templates/certbot-cleanup.j2 b/roles/certbot_dns/templates/certbot-cleanup.j2
index 8115664..2569b0e 100644
--- a/roles/certbot_dns/templates/certbot-cleanup.j2
+++ b/roles/certbot_dns/templates/certbot-cleanup.j2
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 dns={{ dns[0] }}
-ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }}
+ldap_user={{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}
 
 kinit -k -t /etc/krb5.keytab "${ldap_user}"
 nsupdate -g <<EOF
diff --git a/roles/firewall_master/tasks/web.yml b/roles/firewall_master/tasks/web.yml
index ea759d6..8c86c5a 100644
--- a/roles/firewall_master/tasks/web.yml
+++ b/roles/firewall_master/tasks/web.yml
@@ -9,7 +9,7 @@
   become_method: su
   become_flags: "-s /bin/sh"
   git:
-    repo: '{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="friwall_repo") }}'
+    repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}'
     dest: /srv/friwall/app
     force: yes
   notify: reload uwsgi
diff --git a/roles/firewall_master/templates/settings.json.j2 b/roles/firewall_master/templates/settings.json.j2
index a66ff56..8d1be7b 100644
--- a/roles/firewall_master/templates/settings.json.j2
+++ b/roles/firewall_master/templates/settings.json.j2
@@ -1,10 +1,10 @@
 {
   "ldap_host": "{{ domain }}",
-  "ldap_user": "{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }}",
-  "ldap_pass": "{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_pass") }}",
+  "ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}",
+  "ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}",
   "ldap_base_dn": "{{ ldap_base_dn }}",
-  "oidc_server": "{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="oidc_server") }}",
-  "oidc_client_id": "{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="oidc_client_id") }}",
-  "oidc_client_secret": "{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="oidc_client_secret") }}",
+  "oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}",
+  "oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}",
+  "oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}",
   "wg_net": "{{ wg_net }}"
 }