certbot_dns: move secrets to password store

roles/certbot_dns/tasks/main.yml

@@ -27,11 +27,11 @@
   expect:
     command: ktutil
     responses:
-      ".*:":
-        - "add_entry -password -p {{ ldap_user }} -k 1 -e aes256-cts-hmac-sha1-96"
-        - "{{ ldap_pass }}"
-        - "write_kt /etc/krb5.keytab"
-        - "exit"
+      '.*:':
+        - 'add_entry -password -p {{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96'
+        - '{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_pass") }}'
+        - 'write_kt /etc/krb5.keytab'
+        - 'exit'
   args:
     creates: /etc/krb5.keytab
 

roles/certbot_dns/templates/certbot-auth.j2

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 dns={{ dns[0] }}
-ldap_user={{ ldap_user }}
+ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }}
 ttl=10
 
 kinit -k -t /etc/krb5.keytab "${ldap_user}"

roles/certbot_dns/templates/certbot-cleanup.j2

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 dns={{ dns[0] }}
-ldap_user={{ ldap_user }}
+ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }}
 
 kinit -k -t /etc/krb5.keytab "${ldap_user}"
 nsupdate -g <<EOF