feat: update Ansible configuration and add 1Password lookup plugin for secret management

config/ansible/README.md

@@ -0,0 +1,28 @@
+# Ansible Configuration
+
+## 1Password Integration
+
+This Ansible configuration includes a custom lookup plugin for fetching secrets from 1Password. 
+The 1Password CLI must be installed and authenticated on the machine running Ansible.
+
+### Usage
+
+```yaml
+# Simple password lookup
+password: "{{ lookup('onepassword', 'item-name') }}"
+
+# Fetch specific field
+api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}"
+
+# Fetch from specific vault
+database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}"
+```
+
+### Prerequisites
+
+1. Install 1Password CLI
+2. Sign in to 1Password using `op signin`
+3. Service account should be properly configured
+
+For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli).
+```

config/ansible/ansible.cfg

@@ -1,3 +1,6 @@
 [defaults]
-inventory = inventory.ini
+inventory = inventory
+roles_path = roles
+collections_paths = collections
+lookup_plugins = plugins/lookup
 retry_files_enabled = False

config/ansible/plugins/lookup/onepassword.py

@@ -0,0 +1,68 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+    name: onepassword
+    author: Menno
+    version_added: "1.0"
+    short_description: fetch secrets from 1Password
+    description:
+        - Uses the 1Password CLI to fetch secrets from 1Password
+    options:
+        item:
+            description: the item to fetch
+            required: true
+        field:
+            description: the field to fetch from the item
+            required: false
+            default: password
+        vault:
+            description: the vault to fetch from
+            required: false
+"""
+
+EXAMPLES = """
+- name: fetch password for an item
+  debug:
+    msg: "{{ lookup('onepassword', 'storage-box', field='password') }}"
+"""
+
+RETURN = """
+  _raw:
+    description: field data requested
+"""
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+from ansible.utils.display import Display
+import subprocess
+
+display = Display()
+
+class LookupModule(LookupBase):
+    def run(self, terms, variables=None, **kwargs):
+        if len(terms) != 1:
+            raise AnsibleError("onepassword lookup expects exactly one argument")
+        
+        item = terms[0]
+        field = kwargs.get('field', 'password')
+        vault = kwargs.get('vault', '')
+        
+        vault_arg = []
+        if vault:
+            vault_arg = ['--vault', vault]
+
+        cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg
+        
+        display.vvv(f"Executing command: {' '.join(cmd)}")
+        
+        try:
+            result = subprocess.run(
+                cmd,
+                capture_output=True,
+                text=True,
+                check=True
+            )
+            return [result.stdout.strip()]
+        except subprocess.CalledProcessError as e:
+            raise AnsibleError(f"Error fetching from 1Password: {e.stderr}")

config/ansible/tasks/global/openssh-server.yml

@@ -1,4 +1,3 @@
----
 - name: Ensure openssh-server is installed
   ansible.builtin.package:
     name: openssh-server
@@ -12,24 +11,9 @@
     group: root
     mode: '0644'
     validate: '/usr/sbin/sshd -t -f %s'
-  notify: Restart SSH service
 
 - name: Ensure SSH service is enabled and running
   ansible.builtin.service:
     name: ssh
     state: started
     enabled: true
-
-# Handlers
-- name: Handlers
-  ansible.builtin.meta: flush_handlers
-
-- name: Handlers block
-  tags:
-    - always
-  block:
-    - name: Restart SSH service
-      ansible.builtin.service:
-        name: ssh
-        state: restarted
-      listen: Restart SSH service

config/ansible/tasks/servers/cifs.yml

@@ -18,7 +18,7 @@
     dest: /root/.smbcredentials
     content: |
       username=u451316
-      password={{ storage_box_password | default('CHANGE_ME') }}
+      password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }}
     mode: '0600'
 
 - name: Add fstab entry for storage-box
@@ -30,12 +30,6 @@
     state: present
   notify: Systemctl daemon-reload
 
-- name: Mount storage-box
-  become: true
-  ansible.builtin.mount:
-    path: /mnt/storage-box
-    src: //u451316.your-storagebox.de/backup
-    fstype: cifs
 - name: Mount storage-box
   become: true
   ansible.builtin.mount:

config/home-manager/workstation/dconf.nix

@@ -36,6 +36,11 @@
         show-desktop-icons = true;
       };
 
+      "org/gnome/Ptyxis" = {
+        use-system-font = false;
+        font-name = "Hack Nerd Font Mono 13";
+      };
+
       "org/gnome/desktop/applications/file-manager" = {
         exec = "nautilus";
       };