feat: update Ansible configuration and add 1Password lookup plugin for secret management

2025-03-11 15:54:31 +01:00 · 2025-03-11 15:54:31 +01:00 · 47fb912c15
commit 47fb912c15
parent 6816f125eb
6 changed files with 106 additions and 24 deletions
--- a/config/ansible/README.md
+++ b/config/ansible/README.md
@ -0,0 +1,28 @@
+# Ansible Configuration
+
+## 1Password Integration
+
+This Ansible configuration includes a custom lookup plugin for fetching secrets from 1Password. 
+The 1Password CLI must be installed and authenticated on the machine running Ansible.
+
+### Usage
+
+```yaml
+# Simple password lookup
+password: "{{ lookup('onepassword', 'item-name') }}"
+
+# Fetch specific field
+api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}"
+
+# Fetch from specific vault
+database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}"
+```
+
+### Prerequisites
+
+1. Install 1Password CLI
+2. Sign in to 1Password using `op signin`
+3. Service account should be properly configured
+
+For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli).
+```
--- a/config/ansible/ansible.cfg
+++ b/config/ansible/ansible.cfg
@ -1,3 +1,6 @@
 [defaults]
-inventory = inventory.ini
+inventory = inventory
+roles_path = roles
+collections_paths = collections
+lookup_plugins = plugins/lookup
 retry_files_enabled = False
--- a/config/ansible/plugins/lookup/onepassword.py
+++ b/config/ansible/plugins/lookup/onepassword.py
@ -0,0 +1,68 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+    name: onepassword
+    author: Menno
+    version_added: "1.0"
+    short_description: fetch secrets from 1Password
+    description:
+        - Uses the 1Password CLI to fetch secrets from 1Password
+    options:
+        item:
+            description: the item to fetch
+            required: true
+        field:
+            description: the field to fetch from the item
+            required: false
+            default: password
+        vault:
+            description: the vault to fetch from
+            required: false
+"""
+
+EXAMPLES = """
+- name: fetch password for an item
+  debug:
+    msg: "{{ lookup('onepassword', 'storage-box', field='password') }}"
+"""
+
+RETURN = """
+  _raw:
+    description: field data requested
+"""
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+from ansible.utils.display import Display
+import subprocess
+
+display = Display()
+
+class LookupModule(LookupBase):
+    def run(self, terms, variables=None, **kwargs):
+        if len(terms) != 1:
+            raise AnsibleError("onepassword lookup expects exactly one argument")
+        
+        item = terms[0]
+        field = kwargs.get('field', 'password')
+        vault = kwargs.get('vault', '')
+        
+        vault_arg = []
+        if vault:
+            vault_arg = ['--vault', vault]
+
+        cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg
+        
+        display.vvv(f"Executing command: {' '.join(cmd)}")
+        
+        try:
+            result = subprocess.run(
+                cmd,
+                capture_output=True,
+                text=True,
+                check=True
+            )
+            return [result.stdout.strip()]
+        except subprocess.CalledProcessError as e:
+            raise AnsibleError(f"Error fetching from 1Password: {e.stderr}")
--- a/config/ansible/tasks/global/openssh-server.yml
+++ b/config/ansible/tasks/global/openssh-server.yml
@ -1,4 +1,3 @@
---
 - name: Ensure openssh-server is installed
  ansible.builtin.package:
    name: openssh-server
@ -12,24 +11,9 @@
    group: root
    mode: '0644'
    validate: '/usr/sbin/sshd -t -f %s'
-  notify: Restart SSH service

 - name: Ensure SSH service is enabled and running
  ansible.builtin.service:
    name: ssh
    state: started
    enabled: true
-
-# Handlers
- name: Handlers
-  ansible.builtin.meta: flush_handlers
-
- name: Handlers block
-  tags:
-    - always
-  block:
-    - name: Restart SSH service
-      ansible.builtin.service:
-        name: ssh
-        state: restarted
-      listen: Restart SSH service
--- a/config/ansible/tasks/servers/cifs.yml
+++ b/config/ansible/tasks/servers/cifs.yml
@ -18,7 +18,7 @@
    dest: /root/.smbcredentials
    content: |
      username=u451316
-      password={{ storage_box_password | default('CHANGE_ME') }}
+      password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }}
    mode: '0600'

 - name: Add fstab entry for storage-box
@ -30,12 +30,6 @@
    state: present
  notify: Systemctl daemon-reload

- name: Mount storage-box
-  become: true
-  ansible.builtin.mount:
-    path: /mnt/storage-box
-    src: //u451316.your-storagebox.de/backup
-    fstype: cifs
 - name: Mount storage-box
  become: true
  ansible.builtin.mount:
--- a/config/home-manager/workstation/dconf.nix
+++ b/config/home-manager/workstation/dconf.nix
@ -36,6 +36,11 @@
        show-desktop-icons = true;
      };

+      "org/gnome/Ptyxis" = {
+        use-system-font = false;
+        font-name = "Hack Nerd Font Mono 13";
+      };
+
      "org/gnome/desktop/applications/file-manager" = {
        exec = "nautilus";
      };