feat: migrate 1Password lookup plugin to community.general.onepassword and remove deprecated files

2025-03-11 22:03:06 +01:00 · 2025-03-11 22:03:06 +01:00 · 02cf04b81a
commit 02cf04b81a
parent 94a2b35770
7 changed files with 7 additions and 164 deletions
--- a/config/ansible/ansible.cfg
+++ b/config/ansible/ansible.cfg
@ -2,5 +2,4 @@
 inventory = inventory
 roles_path = roles
 collections_paths = collections
 lookup_plugins = /home/menno/.dotfiles/config/ansible/plugins/lookup
 retry_files_enabled = False
--- a/config/ansible/plugins/lookup/README.md
+++ b/config/ansible/plugins/lookup/README.md
@ -1,52 +0,0 @@
 # OnePassword Lookup Plugin
 This Ansible lookup plugin allows you to securely fetch secrets from 1Password using the 1Password CLI.
 ## Requirements
 - 1Password CLI (`op`) must be installed and available in your PATH
 - You must be signed in to 1Password CLI (`op signin`)
 ## Usage
 The lookup plugin accepts a 1Password reference string in the format `op://vault/item/field`.
 ```yaml
 - name: Fetch a secret from 1Password
  debug:
    msg: "{{ lookup('my_1password', 'op://vault/item/password') }}"
 ```
 ## Examples
 ### Fetch a password
 ```yaml
 - name: Fetch API key
  debug:
    msg: "{{ lookup('my_1password', 'op://My Vault/API Credentials/token') }}"
 ```
 ### Using with templates
 ```yaml
 # In your template file (e.g., config.j2)
 api_key: "{{ lookup('my_1password', 'op://My Vault/API Credentials/token') }}"
 ```
 ### Multiple secrets
 ```yaml
 - name: Fetch multiple secrets
  debug:
    msg: 
      - "{{ lookup('my_1password', 'op://vault/item1/field') }}"
      - "{{ lookup('my_1password', 'op://vault/item2/field') }}"
 ```
 ## Error Handling
 The plugin will raise an error if:
 - The reference doesn't start with `op://`
 - The secret is not found in 1Password
 - There's an error executing the 1Password CLI
--- a/config/ansible/plugins/lookup/my_1password.py
+++ b/config/ansible/plugins/lookup/my_1password.py
@ -1,78 +0,0 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 DOCUMENTATION = """
    name: my_1password
    author: Menno
    version_added: "1.0"
    short_description: fetch secrets from 1Password
    description:
        - Uses the 1Password CLI to fetch secrets from 1Password using the op read command
    options:
        _terms:
            description: 1Password reference string (op://vault/item/field)
            required: true
 """
 EXAMPLES = """
 - name: fetch password using 1Password reference
  debug:
    msg: "{{ lookup('my_1password', 'op://vault/item/password') }}"
 - name: fetch username from item
  debug:
    msg: "{{ lookup('my_1password', 'op://vault/item/username') }}"
 - name: fetch custom field
  debug:
    msg: "{{ lookup('my_1password', 'op://vault/item/custom_field') }}"
 """
 RETURN = """
  _raw:
    description: field data requested
 """
 from ansible.errors import AnsibleError
 from ansible.plugins.lookup import LookupBase
 from ansible.utils.display import Display
 import subprocess
 display = Display()
 class LookupModule(LookupBase):
    def run(self, terms, variables=None, **kwargs):
        result = []
        for term in terms:
            if not term.startswith('op://'):
                raise AnsibleError(f"1Password reference must start with 'op://', got: {term}")
            cmd = ['op', 'read', term]
            display.vvv(f"Executing command: {' '.join(cmd)}")
            try:
                process = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
                    check=True
                )
                output = process.stdout.strip()
                display.vvv(f"1Password output for '{term}': '{output}'")
                if not output:
                    display.warning(f"1Password returned empty output for '{term}'")
                result.append(output)
            except subprocess.CalledProcessError as e:
                error_msg = e.stderr.strip()
                display.warning(f"Error executing 1Password CLI: {error_msg}")
                display.warning(f"Command used: {' '.join(cmd)}")
                if "not found" in error_msg:
                    raise AnsibleError(f"Secret referenced by '{term}' not found in 1Password")
                raise AnsibleError(f"Error fetching from 1Password: {error_msg}")
        return result
--- a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
+++ b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
@ -4,7 +4,7 @@ services:
    image: ghcr.io/tailscale/golink:main
    user: root
    environment:
-      - TS_AUTHKEY={{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/GoLink/TS_AUTHKEY') }}
+      - TS_AUTHKEY={{ lookup('community.general.onepassword', '4gsgavajnxfpcrjvbkqhoc4drm', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='TS_AUTHKEY') }}
    volumes:
      - {{ golink_data_dir }}:/home/nonroot
    restart: "unless-stopped"
--- a/config/ansible/tasks/servers/services/hoarder/dotenv.j2
+++ b/config/ansible/tasks/servers/services/hoarder/dotenv.j2
@ -7,6 +7,6 @@ NEXTAUTH_URL=http://localhost:3000
 DATA_DIR=/data
-NEXTAUTH_SECRET="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/NEXTAUTH_SECRET') }}"
+NEXTAUTH_SECRET="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='NEXTAUTH_SECRET') }}"
-MEILI_MASTER_KEY="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/MEILI_MASTER_KEY') }}"
+MEILI_MASTER_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MEILI_MASTER_KEY') }}"
-OPENAI_API_KEY="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/OPENAI_API_KEY') }}"
+OPENAI_API_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENAI_API_KEY') }}"
--- a/config/ansible/tasks/servers/sshfs.yml
+++ b/config/ansible/tasks/servers/sshfs.yml
@ -1,16 +1,11 @@
 ---
 - name: Configure SSHFS
  block:
    - name: Debug which plugin is being used
      ansible.builtin.debug:
        msg: "Using lookup plugins from: {{ lookup('pipe', 'ansible-config dump | grep DEFAULT_LOOKUP_PLUGIN_PATH') }}"
    - name: Get SSHFS credentials via local lookup
      delegate_to: localhost
      ansible.builtin.set_fact:
-        sshfs_user: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username') }}"
+        sshfs_user: "{{ lookup('community.general.onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='username') }}"
-        sshfs_pass: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }}"
+        sshfs_pass: "{{ lookup('community.general.onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}"
-        sshfs_host: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}"
+        sshfs_host: "{{ lookup('community.general.onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='host') }}"
        sshfs_port: 23
        remote_path: /mnt/storage-box
--- a/config/ansible/tests/test-onepassword-lookup.yml
+++ b/config/ansible/tests/test-onepassword-lookup.yml
@ -1,21 +0,0 @@
 ---
 - name: Test 1Password Lookup Plugin
  hosts: localhost
  connection: local
  gather_facts: false
  vars:
    hoarder_data_dir: /mnt/storage-box/services/hoarder
  tasks:
    - name: Test lookup with direct reference
      ansible.builtin.debug:
        msg: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}"
    - name: Template with lookup
      ansible.builtin.template:
        src: ../tasks/servers/services/hoarder/dotenv.j2
        dest: /tmp/.env
      register: op_direct
    - name: Print out the templated file
      ansible.builtin.debug:
        msg: "{{ lookup('file', '/tmp/.env') }}"