Factor out password store retrieval

This commit is contained in:
Timotej Lazar 2024-07-04 15:31:25 +02:00
parent 973522c373
commit f10d94612f
7 changed files with 18 additions and 21 deletions

View file

@ -19,3 +19,7 @@
set_fact: set_fact:
cluster_services: '{{ (cluster_services|default([])) + query("netbox.netbox.nb_lookup", "services", raw_data=true, api_filter="id="+item) }}' cluster_services: '{{ (cluster_services|default([])) + query("netbox.netbox.nb_lookup", "services", raw_data=true, api_filter="id="+item) }}'
loop: '{{ cluster.custom_fields.services | map(attribute="id") | map("string") }}' loop: '{{ cluster.custom_fields.services | map(attribute="id") | map("string") }}'
- name: Fetch passwords
set_fact:
password: '{{ lookup("passwordstore", ("vm/" if is_virtual else "host/")~inventory_hostname, returnall=true) | from_yaml }}'

View file

@ -61,10 +61,6 @@
become: yes become: yes
become_user: forgejo become_user: forgejo
block: block:
- name: Get passwords
set_fact:
password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
- name: Create admin user - name: Create admin user
command: | command: |
forgejo admin user create --admin forgejo admin user create --admin

View file

@ -23,7 +23,7 @@
become_method: su become_method: su
become_flags: "-s /bin/sh" become_flags: "-s /bin/sh"
git: git:
repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}' repo: '{{ password.friwall_repo }}'
dest: /srv/friwall/app dest: /srv/friwall/app
force: yes force: yes
notify: reload uwsgi notify: reload uwsgi

View file

@ -1,10 +1,10 @@
{ {
"ldap_host": "{{ domain }}", "ldap_host": "{{ domain }}",
"ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}", "ldap_user": "{{ password.ldap_user }}",
"ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}", "ldap_pass": "{{ password.ldap_pass }}",
"ldap_base_dn": "{{ ldap_base_dn }}", "ldap_base_dn": "{{ ldap_base_dn }}",
"oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}", "oidc_server": "{{ password.oidc_server }}",
"oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}", "oidc_client_id": "{{ password.oidc_client_id }}",
"oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}", "oidc_client_secret": "{{ password.oidc_client_secret }}",
"wg_net": "{{ wg_net }}" "wg_net": "{{ wg_net }}"
} }

View file

@ -84,11 +84,11 @@
- key: "^REMOTE_AUTH_BACKEND =" - key: "^REMOTE_AUTH_BACKEND ="
line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'" line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'"
- key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT =" - key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT ="
line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_endpoint') }}'" line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ password.oidc_endpoint }}'"
- key: "^SOCIAL_AUTH_OIDC_KEY =" - key: "^SOCIAL_AUTH_OIDC_KEY ="
line: "SOCIAL_AUTH_OIDC_KEY = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_id') }}'" line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
- key: "^SOCIAL_AUTH_OIDC_SECRET =" - key: "^SOCIAL_AUTH_OIDC_SECRET ="
line: "SOCIAL_AUTH_OIDC_SECRET = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_secret') }}'" line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
# TODO the key should really be upn but it doesn’t seem to work # TODO the key should really be upn but it doesn’t seem to work
- key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY =" - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'" line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
@ -113,10 +113,10 @@
import sys import sys
from users.models import User from users.models import User
#from django.contrib.auth.models import User #from django.contrib.auth.models import User
username = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_user') }}' username = '{{ password.admin_user }}'
if not User.objects.filter(username=username): if not User.objects.filter(username=username):
User.objects.create_superuser(username, '', # TODO email User.objects.create_superuser(username, '', # TODO email
'{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_pass') }}') '{{ password.admin_pass }}')
sys.exit(1) sys.exit(1)
register: result register: result
changed_when: result.rc != 0 changed_when: result.rc != 0

View file

@ -6,11 +6,11 @@ import re
import ldap3 import ldap3
{% set password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %} {% set cluster_password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %}
realm = '{{ hostvars[inventory_hostname]["sync-ldap"] }}' realm = '{{ hostvars[inventory_hostname]["sync-ldap"] }}'
ldap_host = '{{ domain }}' ldap_host = '{{ domain }}'
ldap_user = '{{ password.ldap_user }}' ldap_user = '{{ cluster_password.ldap_user }}'
ldap_pass = '{{ password.ldap_pass }}' ldap_pass = '{{ cluster_password.ldap_pass }}'
ldap_base = '{{ domain | split(".") | map("regex_replace", "^", "dc=") | join(",") }}' ldap_base = '{{ domain | split(".") | map("regex_replace", "^", "dc=") | join(",") }}'
# build LDAP query for users # build LDAP query for users

View file

@ -1,6 +1,3 @@
- set_fact:
password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
- name: Install packages - name: Install packages
package: package:
name: synapse name: synapse