vleeuwenmenno/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance 1Password lookup functionality with vault ID support and concealment option
Some checks failed
Nix Format Check / check-format (push) Failing after 37s
Details

Browse Source
This commit is contained in:
Menno van Leeuwen 2025-03-11 15:58:27 +01:00
parent 47fb912c15
commit d787b25917
Signed by: vleeuwenmenno
SSH Key Fingerprint: SHA256:OJFmjANpakwD3F2Rsws4GLtbdz1TJ5tkQF0RZmF0TRE
3 changed files with 41 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
config/ansible/README.md
View File

@ -14,8 +14,11 @@ password: "{{ lookup('onepassword', 'item-name') }}"
# Fetch specific field
api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}"
# Fetch from specific vault
database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}"
# Fetch from specific vault (using vault ID)
database_password: "{{ lookup('onepassword', 'database', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') }}"
# Fetch a field without revealing it (for non-password fields)
note: "{{ lookup('onepassword', 'item-name', field='notes', reveal=false) }}"
```
### Prerequisites
@ -24,5 +27,13 @@ database_password: "{{ lookup('onepassword', 'database', field='password', vault
2. Sign in to 1Password using `op signin`
3. Service account should be properly configured
### Finding Vault IDs
To find your vault ID:
```bash
op vault list
```
For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli).
```

34
config/ansible/plugins/lookup/onepassword.py
View File

@ -17,14 +17,22 @@ DOCUMENTATION = """
required: false
default: password
vault:
description: the vault to fetch from
description: the vault to fetch from (name or ID)
required: false
reveal:
description: whether to reveal concealed fields
required: false
default: true
"""
EXAMPLES = """
- name: fetch password for an item
debug:
msg: "{{ lookup('onepassword', 'storage-box', field='password') }}"
msg: "{{ lookup('onepassword', 'xxxx', field='password') }}"
- name: fetch password from specific vault
debug:
msg: "{{ lookup('onepassword', 'xxxx', field='password', vault='xxxx') }}"
"""
RETURN = """
@ -47,12 +55,17 @@ class LookupModule(LookupBase):
item = terms[0]
field = kwargs.get('field', 'password')
vault = kwargs.get('vault', '')
reveal = kwargs.get('reveal', True)
vault_arg = []
cmd = ['op', 'item', 'get', item, '--field', field]
# Add vault parameter if specified
if vault:
vault_arg = ['--vault', vault]
cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg
cmd.extend(['--vault', vault])
# Add reveal flag for concealed fields
if reveal and field.lower() in ['password', 'secret', 'token', 'key']:
cmd.append('--reveal')
display.vvv(f"Executing command: {' '.join(cmd)}")
@ -65,4 +78,11 @@ class LookupModule(LookupBase):
)
return [result.stdout.strip()]
except subprocess.CalledProcessError as e:
raise AnsibleError(f"Error fetching from 1Password: {e.stderr}")
error_msg = e.stderr.strip()
display.warning(f"Error executing 1Password CLI: {error_msg}")
display.warning(f"Command used: {' '.join(cmd)}")
if "not found" in error_msg:
return [f"Secret '{item}' not found in 1Password"]
raise AnsibleError(f"Error fetching from 1Password: {error_msg}")

2
config/ansible/tasks/servers/cifs.yml
View File

@ -18,7 +18,7 @@
dest: /root/.smbcredentials
content: |
username=u451316
password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }}
password={{ lookup('onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') | default('CHANGE_ME') }}
mode: '0600'
- name: Add fstab entry for storage-box