diff --git a/config/ansible/README.md b/config/ansible/README.md index 6033029..3c9aa1c 100644 --- a/config/ansible/README.md +++ b/config/ansible/README.md @@ -5,21 +5,7 @@ This Ansible configuration includes a custom lookup plugin for fetching secrets from 1Password. The 1Password CLI must be installed and authenticated on the machine running Ansible. -### Usage - -```yaml -# Simple password lookup -password: "{{ lookup('onepassword', 'item-name') }}" - -# Fetch specific field -api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}" - -# Fetch from specific vault (using vault ID) -database_password: "{{ lookup('onepassword', 'database', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') }}" - -# Fetch a field without revealing it (for non-password fields) -note: "{{ lookup('onepassword', 'item-name', field='notes', reveal=false) }}" -``` +See [1Password Integration Readme](plugins/lookup/README.md) ### Prerequisites diff --git a/config/ansible/plugins/lookup/README.md b/config/ansible/plugins/lookup/README.md new file mode 100644 index 0000000..1395349 --- /dev/null +++ b/config/ansible/plugins/lookup/README.md @@ -0,0 +1,52 @@ +# OnePassword Lookup Plugin + +This Ansible lookup plugin allows you to securely fetch secrets from 1Password using the 1Password CLI. + +## Requirements + +- 1Password CLI (`op`) must be installed and available in your PATH +- You must be signed in to 1Password CLI (`op signin`) + +## Usage + +The lookup plugin accepts a 1Password reference string in the format `op://vault/item/field`. + +```yaml +- name: Fetch a secret from 1Password + debug: + msg: "{{ lookup('onepassword', 'op://vault/item/password') }}" +``` + +## Examples + +### Fetch a password + +```yaml +- name: Fetch API key + debug: + msg: "{{ lookup('onepassword', 'op://My Vault/API Credentials/token') }}" +``` + +### Using with templates + +```yaml +# In your template file (e.g., config.j2) +api_key: "{{ lookup('onepassword', 'op://My Vault/API Credentials/token') }}" +``` + +### Multiple secrets + +```yaml +- name: Fetch multiple secrets + debug: + msg: + - "{{ lookup('onepassword', 'op://vault/item1/field') }}" + - "{{ lookup('onepassword', 'op://vault/item2/field') }}" +``` + +## Error Handling + +The plugin will raise an error if: +- The reference doesn't start with `op://` +- The secret is not found in 1Password +- There's an error executing the 1Password CLI diff --git a/config/ansible/tasks/servers/cifs.yml b/config/ansible/tasks/servers/cifs.yml index de05909..5deb88f 100644 --- a/config/ansible/tasks/servers/cifs.yml +++ b/config/ansible/tasks/servers/cifs.yml @@ -20,7 +20,7 @@ dest: /root/.smbcredentials content: | username=u451316 - password={{ lookup('onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', vault='j7nmhqlsjmp2r6umly5t75hzb4') | default('CHANGE_ME') }} + password={{ lookup('onepassword', 'op://j7nmhqlsjmp2r6umly5t75hzb4/5j5y5axfjr3f3sn5nixb6htg4y/new_password') }} mode: '0600' - name: Add fstab entry for storage-box