From 47fb912c15ca3f82fe43ef02acf34952c9b64a64 Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Tue, 11 Mar 2025 15:54:31 +0100 Subject: [PATCH] feat: update Ansible configuration and add 1Password lookup plugin for secret management --- config/ansible/README.md | 28 ++++++++ config/ansible/ansible.cfg | 5 +- config/ansible/plugins/lookup/onepassword.py | 68 +++++++++++++++++++ .../ansible/tasks/global/openssh-server.yml | 16 ----- config/ansible/tasks/servers/cifs.yml | 8 +-- config/home-manager/workstation/dconf.nix | 5 ++ 6 files changed, 106 insertions(+), 24 deletions(-) create mode 100644 config/ansible/README.md create mode 100644 config/ansible/plugins/lookup/onepassword.py diff --git a/config/ansible/README.md b/config/ansible/README.md new file mode 100644 index 0000000..5f6496e --- /dev/null +++ b/config/ansible/README.md @@ -0,0 +1,28 @@ +# Ansible Configuration + +## 1Password Integration + +This Ansible configuration includes a custom lookup plugin for fetching secrets from 1Password. +The 1Password CLI must be installed and authenticated on the machine running Ansible. + +### Usage + +```yaml +# Simple password lookup +password: "{{ lookup('onepassword', 'item-name') }}" + +# Fetch specific field +api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}" + +# Fetch from specific vault +database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}" +``` + +### Prerequisites + +1. Install 1Password CLI +2. Sign in to 1Password using `op signin` +3. Service account should be properly configured + +For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli). +``` diff --git a/config/ansible/ansible.cfg b/config/ansible/ansible.cfg index dd663fd..2324986 100644 --- a/config/ansible/ansible.cfg +++ b/config/ansible/ansible.cfg @@ -1,3 +1,6 @@ [defaults] -inventory = inventory.ini +inventory = inventory +roles_path = roles +collections_paths = collections +lookup_plugins = plugins/lookup retry_files_enabled = False \ No newline at end of file diff --git a/config/ansible/plugins/lookup/onepassword.py b/config/ansible/plugins/lookup/onepassword.py new file mode 100644 index 0000000..a105b42 --- /dev/null +++ b/config/ansible/plugins/lookup/onepassword.py @@ -0,0 +1,68 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = """ + name: onepassword + author: Menno + version_added: "1.0" + short_description: fetch secrets from 1Password + description: + - Uses the 1Password CLI to fetch secrets from 1Password + options: + item: + description: the item to fetch + required: true + field: + description: the field to fetch from the item + required: false + default: password + vault: + description: the vault to fetch from + required: false +""" + +EXAMPLES = """ +- name: fetch password for an item + debug: + msg: "{{ lookup('onepassword', 'storage-box', field='password') }}" +""" + +RETURN = """ + _raw: + description: field data requested +""" + +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display +import subprocess + +display = Display() + +class LookupModule(LookupBase): + def run(self, terms, variables=None, **kwargs): + if len(terms) != 1: + raise AnsibleError("onepassword lookup expects exactly one argument") + + item = terms[0] + field = kwargs.get('field', 'password') + vault = kwargs.get('vault', '') + + vault_arg = [] + if vault: + vault_arg = ['--vault', vault] + + cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg + + display.vvv(f"Executing command: {' '.join(cmd)}") + + try: + result = subprocess.run( + cmd, + capture_output=True, + text=True, + check=True + ) + return [result.stdout.strip()] + except subprocess.CalledProcessError as e: + raise AnsibleError(f"Error fetching from 1Password: {e.stderr}") diff --git a/config/ansible/tasks/global/openssh-server.yml b/config/ansible/tasks/global/openssh-server.yml index 491ce3d..f97771e 100644 --- a/config/ansible/tasks/global/openssh-server.yml +++ b/config/ansible/tasks/global/openssh-server.yml @@ -1,4 +1,3 @@ ---- - name: Ensure openssh-server is installed ansible.builtin.package: name: openssh-server @@ -12,24 +11,9 @@ group: root mode: '0644' validate: '/usr/sbin/sshd -t -f %s' - notify: Restart SSH service - name: Ensure SSH service is enabled and running ansible.builtin.service: name: ssh state: started enabled: true - -# Handlers -- name: Handlers - ansible.builtin.meta: flush_handlers - -- name: Handlers block - tags: - - always - block: - - name: Restart SSH service - ansible.builtin.service: - name: ssh - state: restarted - listen: Restart SSH service diff --git a/config/ansible/tasks/servers/cifs.yml b/config/ansible/tasks/servers/cifs.yml index f7502bd..4471f54 100644 --- a/config/ansible/tasks/servers/cifs.yml +++ b/config/ansible/tasks/servers/cifs.yml @@ -18,7 +18,7 @@ dest: /root/.smbcredentials content: | username=u451316 - password={{ storage_box_password | default('CHANGE_ME') }} + password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }} mode: '0600' - name: Add fstab entry for storage-box @@ -30,12 +30,6 @@ state: present notify: Systemctl daemon-reload -- name: Mount storage-box - become: true - ansible.builtin.mount: - path: /mnt/storage-box - src: //u451316.your-storagebox.de/backup - fstype: cifs - name: Mount storage-box become: true ansible.builtin.mount: diff --git a/config/home-manager/workstation/dconf.nix b/config/home-manager/workstation/dconf.nix index c280cf5..3ae481c 100644 --- a/config/home-manager/workstation/dconf.nix +++ b/config/home-manager/workstation/dconf.nix @@ -36,6 +36,11 @@ show-desktop-icons = true; }; + "org/gnome/Ptyxis" = { + use-system-font = false; + font-name = "Hack Nerd Font Mono 13"; + }; + "org/gnome/desktop/applications/file-manager" = { exec = "nautilus"; };