feat: add Hoarder service deployment with Docker Compose and 1Password integration

2025-03-11 20:16:36 +01:00
parent db5e18f453
commit 18ef12d9b3
3 changed files with 101 additions and 2 deletions
--- a/config/ansible/plugins/lookup/onepassword.py
+++ b/config/ansible/plugins/lookup/onepassword.py
@@ -11,7 +11,7 @@ DOCUMENTATION = """
    options:
        item:
            description: the item to fetch
-            required: true
+            required: false
        field:
            description: the field to fetch from the item
            required: false
@@ -23,6 +23,9 @@ DOCUMENTATION = """
            description: whether to reveal concealed fields
            required: false
            default: true
+        ref:
+            description: full 1Password reference (op://vault/item/field)
+            required: false
 """

 EXAMPLES = """
@@ -33,6 +36,10 @@ EXAMPLES = """
 - name: fetch password from specific vault
  debug:
    msg: "{{ lookup('onepassword', 'xxxx', field='password', vault='xxxx') }}"
+    
+- name: fetch using full reference
+  debug:
+    msg: "{{ lookup('onepassword', ref='op://vault/item/field') }}"
 """

 RETURN = """
@@ -49,8 +56,34 @@ display = Display()

 class LookupModule(LookupBase):
    def run(self, terms, variables=None, **kwargs):
+        ref = kwargs.get('ref')
+        
+        if ref:
+            # If ref is provided, use op read command
+            cmd = ['op', 'read', ref]
+            display.vvv(f"Executing command with reference: {' '.join(cmd)}")
+            
+            try:
+                result = subprocess.run(
+                    cmd,
+                    capture_output=True,
+                    text=True,
+                    check=True
+                )
+                return [result.stdout.strip()]
+            except subprocess.CalledProcessError as e:
+                error_msg = e.stderr.strip()
+                display.warning(f"Error executing 1Password CLI: {error_msg}")
+                display.warning(f"Command used: {' '.join(cmd)}")
+                
+                if "not found" in error_msg:
+                    return [f"Secret referenced by '{ref}' not found in 1Password"]
+                
+                raise AnsibleError(f"Error fetching from 1Password: {error_msg}")
+        
+        # If no ref is provided, fall back to the original behavior
        if len(terms) != 1:
-            raise AnsibleError("onepassword lookup expects exactly one argument")
+            raise AnsibleError("onepassword lookup expects exactly one argument when not using ref parameter")
        
        item = terms[0]
        field = kwargs.get('field', 'password')