diff --git a/config/ansible/README.md b/config/ansible/README.md index 5f6496e..6033029 100644 --- a/config/ansible/README.md +++ b/config/ansible/README.md @@ -14,8 +14,11 @@ password: "{{ lookup('onepassword', 'item-name') }}" # Fetch specific field api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}" -# Fetch from specific vault -database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}" +# Fetch from specific vault (using vault ID) +database_password: "{{ lookup('onepassword', 'database', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') }}" + +# Fetch a field without revealing it (for non-password fields) +note: "{{ lookup('onepassword', 'item-name', field='notes', reveal=false) }}" ``` ### Prerequisites @@ -24,5 +27,13 @@ database_password: "{{ lookup('onepassword', 'database', field='password', vault 2. Sign in to 1Password using `op signin` 3. Service account should be properly configured +### Finding Vault IDs + +To find your vault ID: + +```bash +op vault list +``` + For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli). ``` diff --git a/config/ansible/plugins/lookup/onepassword.py b/config/ansible/plugins/lookup/onepassword.py index a105b42..8ae35e2 100644 --- a/config/ansible/plugins/lookup/onepassword.py +++ b/config/ansible/plugins/lookup/onepassword.py @@ -17,14 +17,22 @@ DOCUMENTATION = """ required: false default: password vault: - description: the vault to fetch from + description: the vault to fetch from (name or ID) required: false + reveal: + description: whether to reveal concealed fields + required: false + default: true """ EXAMPLES = """ - name: fetch password for an item debug: - msg: "{{ lookup('onepassword', 'storage-box', field='password') }}" + msg: "{{ lookup('onepassword', 'xxxx', field='password') }}" + +- name: fetch password from specific vault + debug: + msg: "{{ lookup('onepassword', 'xxxx', field='password', vault='xxxx') }}" """ RETURN = """ @@ -47,12 +55,17 @@ class LookupModule(LookupBase): item = terms[0] field = kwargs.get('field', 'password') vault = kwargs.get('vault', '') + reveal = kwargs.get('reveal', True) - vault_arg = [] + cmd = ['op', 'item', 'get', item, '--field', field] + + # Add vault parameter if specified if vault: - vault_arg = ['--vault', vault] - - cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg + cmd.extend(['--vault', vault]) + + # Add reveal flag for concealed fields + if reveal and field.lower() in ['password', 'secret', 'token', 'key']: + cmd.append('--reveal') display.vvv(f"Executing command: {' '.join(cmd)}") @@ -65,4 +78,11 @@ class LookupModule(LookupBase): ) return [result.stdout.strip()] except subprocess.CalledProcessError as e: - raise AnsibleError(f"Error fetching from 1Password: {e.stderr}") + error_msg = e.stderr.strip() + display.warning(f"Error executing 1Password CLI: {error_msg}") + display.warning(f"Command used: {' '.join(cmd)}") + + if "not found" in error_msg: + return [f"Secret '{item}' not found in 1Password"] + + raise AnsibleError(f"Error fetching from 1Password: {error_msg}") diff --git a/config/ansible/tasks/servers/cifs.yml b/config/ansible/tasks/servers/cifs.yml index 4471f54..f3087bc 100644 --- a/config/ansible/tasks/servers/cifs.yml +++ b/config/ansible/tasks/servers/cifs.yml @@ -18,7 +18,7 @@ dest: /root/.smbcredentials content: | username=u451316 - password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }} + password={{ lookup('onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') | default('CHANGE_ME') }} mode: '0600' - name: Add fstab entry for storage-box