Factor out password store retrieval

2024-07-04 15:31:25 +02:00 · 2024-07-04 15:31:25 +02:00 · f10d94612f
parent 973522c373
commit f10d94612f
7 changed files with 18 additions and 21 deletions
--- a/roles/facts/tasks/main.yml
+++ b/roles/facts/tasks/main.yml
@ -19,3 +19,7 @@
          set_fact:
            cluster_services: '{{ (cluster_services|default([])) + query("netbox.netbox.nb_lookup", "services", raw_data=true, api_filter="id="+item) }}'
          loop: '{{ cluster.custom_fields.services | map(attribute="id") | map("string") }}'
+
+- name: Fetch passwords
+  set_fact:
+    password: '{{ lookup("passwordstore", ("vm/" if is_virtual else "host/")~inventory_hostname, returnall=true) | from_yaml }}'
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@ -61,10 +61,6 @@
  become: yes
  become_user: forgejo
  block:
-    - name: Get passwords
-      set_fact:
-        password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
-
    - name: Create admin user
      command: |
        forgejo admin user create --admin
--- a/roles/friwall/tasks/main.yml
+++ b/roles/friwall/tasks/main.yml
@ -23,7 +23,7 @@
  become_method: su
  become_flags: "-s /bin/sh"
  git:
-    repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}'
+    repo: '{{ password.friwall_repo }}'
    dest: /srv/friwall/app
    force: yes
  notify: reload uwsgi
--- a/roles/friwall/templates/settings.json.j2
+++ b/roles/friwall/templates/settings.json.j2
@ -1,10 +1,10 @@
 {
  "ldap_host": "{{ domain }}",
-  "ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}",
-  "ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}",
+  "ldap_user": "{{ password.ldap_user }}",
+  "ldap_pass": "{{ password.ldap_pass }}",
  "ldap_base_dn": "{{ ldap_base_dn }}",
-  "oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}",
-  "oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}",
-  "oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}",
+  "oidc_server": "{{ password.oidc_server }}",
+  "oidc_client_id": "{{ password.oidc_client_id }}",
+  "oidc_client_secret": "{{ password.oidc_client_secret }}",
  "wg_net": "{{ wg_net }}"
 }
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@ -84,11 +84,11 @@
    - key: "^REMOTE_AUTH_BACKEND ="
      line: "REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'"
    - key: "^SOCIAL_AUTH_OIDC_OIDC_ENDPOINT ="
-      line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_endpoint') }}'"
+      line: "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '{{ password.oidc_endpoint }}'"
    - key: "^SOCIAL_AUTH_OIDC_KEY ="
-      line: "SOCIAL_AUTH_OIDC_KEY = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_id') }}'"
+      line: "SOCIAL_AUTH_OIDC_KEY = '{{ password.oidc_client_id }}'"
    - key: "^SOCIAL_AUTH_OIDC_SECRET ="
-      line: "SOCIAL_AUTH_OIDC_SECRET = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='oidc_client_secret') }}'"
+      line: "SOCIAL_AUTH_OIDC_SECRET = '{{ password.oidc_client_secret }}'"
    # TODO the key should really be upn but it doesn’t seem to work
    - key: "^SOCIAL_AUTH_OIDC_USERNAME_KEY ="
      line: "SOCIAL_AUTH_OIDC_USERNAME_KEY = 'email'"
@ -113,10 +113,10 @@
      import sys
      from users.models import User
      #from django.contrib.auth.models import User
-      username = '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_user') }}'
+      username = '{{ password.admin_user }}'
      if not User.objects.filter(username=username):
          User.objects.create_superuser(username, '', # TODO email
-              '{{ lookup('passwordstore', 'vm/'~inventory_hostname, subkey='admin_pass') }}')
+              '{{ password.admin_pass }}')
          sys.exit(1)
  register: result
  changed_when: result.rc != 0
--- a/roles/proxmox/templates/sync-ldap.py.j2
+++ b/roles/proxmox/templates/sync-ldap.py.j2
@ -6,11 +6,11 @@ import re

 import ldap3

-{% set password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %}
+{% set cluster_password = lookup('passwordstore', "cluster/"+cluster.name, returnall=true) | from_yaml %}
 realm = '{{ hostvars[inventory_hostname]["sync-ldap"] }}'
 ldap_host = '{{ domain }}'
-ldap_user = '{{ password.ldap_user }}'
-ldap_pass = '{{ password.ldap_pass }}'
+ldap_user = '{{ cluster_password.ldap_user }}'
+ldap_pass = '{{ cluster_password.ldap_pass }}'
 ldap_base = '{{ domain | split(".") | map("regex_replace", "^", "dc=") | join(",") }}'

 # build LDAP query for users
--- a/roles/synapse/tasks/main.yml
+++ b/roles/synapse/tasks/main.yml
@ -1,6 +1,3 @@
- set_fact:
-    password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
-
 - name: Install packages
  package:
    name: synapse