From 22bbda6b191e49d9f480794755fac25f506e2b04 Mon Sep 17 00:00:00 2001
From: Menno van Leeuwen <menno@vleeuwen.me>
Date: Tue, 11 Mar 2025 21:50:40 +0100
Subject: [PATCH] feat: implement custom 1Password lookup plugin and update
 references in Ansible tasks

---
 config/ansible/plugins/lookup/README.md            | 10 +++++-----
 .../lookup/{onepassword.py => my_1password.py}     |  8 ++++----
 .../servers/services/golink/docker-compose.yml.j2  |  2 +-
 .../tasks/servers/services/hoarder/dotenv.j2       |  6 +++---
 config/ansible/tasks/servers/sshfs.yml             | 14 +++++++++-----
 config/ansible/tests/test-onepassword-lookup.yml   |  2 +-
 6 files changed, 23 insertions(+), 19 deletions(-)
 rename config/ansible/plugins/lookup/{onepassword.py => my_1password.py} (90%)

diff --git a/config/ansible/plugins/lookup/README.md b/config/ansible/plugins/lookup/README.md
index 1395349..a90ed51 100644
--- a/config/ansible/plugins/lookup/README.md
+++ b/config/ansible/plugins/lookup/README.md
@@ -14,7 +14,7 @@ The lookup plugin accepts a 1Password reference string in the format `op://vault
 ```yaml
 - name: Fetch a secret from 1Password
   debug:
-    msg: "{{ lookup('onepassword', 'op://vault/item/password') }}"
+    msg: "{{ lookup('my_1password', 'op://vault/item/password') }}"
 ```
 
 ## Examples
@@ -24,14 +24,14 @@ The lookup plugin accepts a 1Password reference string in the format `op://vault
 ```yaml
 - name: Fetch API key
   debug:
-    msg: "{{ lookup('onepassword', 'op://My Vault/API Credentials/token') }}"
+    msg: "{{ lookup('my_1password', 'op://My Vault/API Credentials/token') }}"
 ```
 
 ### Using with templates
 
 ```yaml
 # In your template file (e.g., config.j2)
-api_key: "{{ lookup('onepassword', 'op://My Vault/API Credentials/token') }}"
+api_key: "{{ lookup('my_1password', 'op://My Vault/API Credentials/token') }}"
 ```
 
 ### Multiple secrets
@@ -40,8 +40,8 @@ api_key: "{{ lookup('onepassword', 'op://My Vault/API Credentials/token') }}"
 - name: Fetch multiple secrets
   debug:
     msg: 
-      - "{{ lookup('onepassword', 'op://vault/item1/field') }}"
-      - "{{ lookup('onepassword', 'op://vault/item2/field') }}"
+      - "{{ lookup('my_1password', 'op://vault/item1/field') }}"
+      - "{{ lookup('my_1password', 'op://vault/item2/field') }}"
 ```
 
 ## Error Handling
diff --git a/config/ansible/plugins/lookup/onepassword.py b/config/ansible/plugins/lookup/my_1password.py
similarity index 90%
rename from config/ansible/plugins/lookup/onepassword.py
rename to config/ansible/plugins/lookup/my_1password.py
index a306cd9..9b8bf2e 100644
--- a/config/ansible/plugins/lookup/onepassword.py
+++ b/config/ansible/plugins/lookup/my_1password.py
@@ -2,7 +2,7 @@ from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
 DOCUMENTATION = """
-    name: onepassword
+    name: my_1password
     author: Menno
     version_added: "1.0"
     short_description: fetch secrets from 1Password
@@ -17,15 +17,15 @@ DOCUMENTATION = """
 EXAMPLES = """
 - name: fetch password using 1Password reference
   debug:
-    msg: "{{ lookup('onepassword', 'op://vault/item/password') }}"
+    msg: "{{ lookup('my_1password', 'op://vault/item/password') }}"
 
 - name: fetch username from item
   debug:
-    msg: "{{ lookup('onepassword', 'op://vault/item/username') }}"
+    msg: "{{ lookup('my_1password', 'op://vault/item/username') }}"
     
 - name: fetch custom field
   debug:
-    msg: "{{ lookup('onepassword', 'op://vault/item/custom_field') }}"
+    msg: "{{ lookup('my_1password', 'op://vault/item/custom_field') }}"
 """
 
 RETURN = """
diff --git a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2 b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
index 7ffcb71..f5a1e82 100644
--- a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
+++ b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
@@ -4,7 +4,7 @@ services:
     image: ghcr.io/tailscale/golink:main
     user: root
     environment:
-      - TS_AUTHKEY={{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/GoLink/TS_AUTHKEY') }}
+      - TS_AUTHKEY={{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/GoLink/TS_AUTHKEY') }}
     volumes:
       - {{ golink_data_dir }}:/home/nonroot
     restart: "unless-stopped"
diff --git a/config/ansible/tasks/servers/services/hoarder/dotenv.j2 b/config/ansible/tasks/servers/services/hoarder/dotenv.j2
index 68dde83..b661468 100644
--- a/config/ansible/tasks/servers/services/hoarder/dotenv.j2
+++ b/config/ansible/tasks/servers/services/hoarder/dotenv.j2
@@ -7,6 +7,6 @@ NEXTAUTH_URL=http://localhost:3000
 
 DATA_DIR=/data
 
-NEXTAUTH_SECRET="{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/NEXTAUTH_SECRET') }}"
-MEILI_MASTER_KEY="{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/MEILI_MASTER_KEY') }}"
-OPENAI_API_KEY="{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/OPENAI_API_KEY') }}"
+NEXTAUTH_SECRET="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/NEXTAUTH_SECRET') }}"
+MEILI_MASTER_KEY="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/MEILI_MASTER_KEY') }}"
+OPENAI_API_KEY="{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/Hoarder/OPENAI_API_KEY') }}"
diff --git a/config/ansible/tasks/servers/sshfs.yml b/config/ansible/tasks/servers/sshfs.yml
index 0415102..e0e0bf2 100644
--- a/config/ansible/tasks/servers/sshfs.yml
+++ b/config/ansible/tasks/servers/sshfs.yml
@@ -1,12 +1,16 @@
 ---
 - name: Configure SSHFS
   block:
-    - name: SSHFS Details
+    - name: Debug which plugin is being used
+      ansible.builtin.debug:
+        msg: "Using lookup plugins from: {{ lookup('pipe', 'ansible-config dump | grep DEFAULT_LOOKUP_PLUGIN_PATH') }}"
+
+    - name: Get SSHFS credentials via local lookup
+      delegate_to: localhost
       ansible.builtin.set_fact:
-        # Use lookup with explicit plugin path to ensure our custom plugin is used
-        sshfs_user: "{{ lookup('file', lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username')) }}"
-        sshfs_pass: "{{ lookup('file', lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password')) }}"
-        sshfs_host: "{{ lookup('file', lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host')) }}"
+        sshfs_user: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/username') }}"
+        sshfs_pass: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }}"
+        sshfs_host: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}"
         sshfs_port: 23
         remote_path: /mnt/storage-box
 
diff --git a/config/ansible/tests/test-onepassword-lookup.yml b/config/ansible/tests/test-onepassword-lookup.yml
index b2dd210..8f3ec66 100644
--- a/config/ansible/tests/test-onepassword-lookup.yml
+++ b/config/ansible/tests/test-onepassword-lookup.yml
@@ -8,7 +8,7 @@
   tasks:
     - name: Test lookup with direct reference
       ansible.builtin.debug:
-        msg: "{{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}"
+        msg: "{{ lookup('my_1password', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/host') }}"
 
     - name: Template with lookup
       ansible.builtin.template: