Store sensitive vars in pass

2024-07-10 20:47:01 +02:00 · 2024-07-10 20:47:01 +02:00 · 44b73a216f
commit 44b73a216f
parent 53a1343491
7 changed files with 15 additions and 8 deletions
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@ -0,0 +1,6 @@
+root_access:
+  - ak
+  - foobar
+  - linor
+  - polyfloyd
+  - wilco
--- a/group_vars/git-ci.yaml
+++ b/group_vars/git-ci.yaml
@ -0,0 +1 @@
+forgejo_url: https://git.bitlair.nl
--- a/roles/git-ci/tasks/main.yaml
+++ b/roles/git-ci/tasks/main.yaml
@ -21,7 +21,7 @@
        mode: 0755

    - name: Register runner
-      command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ forgejo_runner_token }}"
+      command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
      args:
        chdir: "{{ runner_wd }}"
        creates: "{{ runner_wd }}/.runner"
--- a/roles/photos/templates/bambulab-fetch.sh
+++ b/roles/photos/templates/bambulab-fetch.sh
@ -4,8 +4,8 @@

 set -eu

-host={{ bambulab_host }}
-pass={{ bambulab_key }}
+host={{ lookup('passwordstore', 'fotos/bambulab subkey=host') }}
+pass={{ lookup('passwordstore', 'fotos/bambulab subkey=key') }}
 dir={{ photos_path }}

 files=$(curl -ksl "ftps://bblp:$pass@$host:990/timelapse/" | grep ^video_)
--- a/roles/services/templates/discord-bot.service
+++ b/roles/services/templates/discord-bot.service
@ -11,8 +11,8 @@ RestartSec=10s
 ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/main.py
 DynamicUser=true
 Environment="MQTT_HOST={{ mqtt_internal_host }}"
-Environment="DISCORD_WEBHOOK_URL={{ discord_webhook_url }}"
-Environment="DISCORD_TOKEN={{ discord_token }}"
+Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}"
+Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}"

 [Install]
 WantedBy=multi-user.target
--- a/roles/services/templates/mastodon-spacestate-config.py
+++ b/roles/services/templates/mastodon-spacestate-config.py
@ -10,5 +10,5 @@ open_profile_field = 'Open! @ {}'
 closed_profile_field = 'Closed @ {}'

 profile_fields = [('Website', 'https://bitlair.nl/')]
-access_token = '{{ mastodon_spacestate_access_token }}'
+access_token = '{{ lookup('passwordstore', 'services/mastodon subkey=spacestate_access_token') }}'
 homeserver = 'https://hsnl.social'
--- a/roles/services/templates/wifi-mqtt.service
+++ b/roles/services/templates/wifi-mqtt.service
@ -8,8 +8,8 @@ Restart=on-failure
 RestartSec=2s
 ExecStart=/var/lib/wifi-mqtt/wifi-mqtt.py
 DynamicUser=true
-Environment="ARUBA_INSTANT_IP={{ wifi_mqtt_snmp_ip }}"
-Environment="ARUBA_INSTANT_PASSWORD={{ wifi_mqtt_snmp_password }}"
+Environment="ARUBA_INSTANT_IP={{ lookup('passwordstore', 'services/wifi_mqtt', subkey='snmp_ip') }}"
+Environment="ARUBA_INSTANT_PASSWORD={{ lookup('passwordstore', 'services/wifi_mqtt', subkey='snmp_password') }}"

 [Install]
 WantedBy=multi-user.target