From d94e79f8b799f2a0abeecde489f9e13ef3791c15 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 13 Feb 2024 13:13:33 +0100 Subject: [PATCH] certbot_dns: move secrets to password store --- roles/certbot_dns/tasks/main.yml | 10 +++++----- roles/certbot_dns/templates/certbot-auth.j2 | 2 +- roles/certbot_dns/templates/certbot-cleanup.j2 | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/certbot_dns/tasks/main.yml b/roles/certbot_dns/tasks/main.yml index 17b9c55..4604dbc 100644 --- a/roles/certbot_dns/tasks/main.yml +++ b/roles/certbot_dns/tasks/main.yml @@ -27,11 +27,11 @@ expect: command: ktutil responses: - ".*:": - - "add_entry -password -p {{ ldap_user }} -k 1 -e aes256-cts-hmac-sha1-96" - - "{{ ldap_pass }}" - - "write_kt /etc/krb5.keytab" - - "exit" + '.*:': + - 'add_entry -password -p {{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96' + - '{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_pass") }}' + - 'write_kt /etc/krb5.keytab' + - 'exit' args: creates: /etc/krb5.keytab diff --git a/roles/certbot_dns/templates/certbot-auth.j2 b/roles/certbot_dns/templates/certbot-auth.j2 index 8400b5f..445a361 100644 --- a/roles/certbot_dns/templates/certbot-auth.j2 +++ b/roles/certbot_dns/templates/certbot-auth.j2 @@ -1,7 +1,7 @@ #!/bin/sh dns={{ dns[0] }} -ldap_user={{ ldap_user }} +ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} ttl=10 kinit -k -t /etc/krb5.keytab "${ldap_user}" diff --git a/roles/certbot_dns/templates/certbot-cleanup.j2 b/roles/certbot_dns/templates/certbot-cleanup.j2 index 44f6064..8115664 100644 --- a/roles/certbot_dns/templates/certbot-cleanup.j2 +++ b/roles/certbot_dns/templates/certbot-cleanup.j2 @@ -1,7 +1,7 @@ #!/bin/sh dns={{ dns[0] }} -ldap_user={{ ldap_user }} +ldap_user={{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} kinit -k -t /etc/krb5.keytab "${ldap_user}" nsupdate -g <