From 44b73a216fa848db366f92cc90a591efa30da07a Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Wed, 10 Jul 2024 20:47:01 +0200 Subject: [PATCH] Store sensitive vars in pass --- group_vars/fotos.yaml | 6 ++++++ group_vars/git-ci.yaml | 1 + roles/git-ci/tasks/main.yaml | 2 +- roles/photos/templates/bambulab-fetch.sh | 4 ++-- roles/services/templates/discord-bot.service | 4 ++-- roles/services/templates/mastodon-spacestate-config.py | 2 +- roles/services/templates/wifi-mqtt.service | 4 ++-- 7 files changed, 15 insertions(+), 8 deletions(-) create mode 100644 group_vars/fotos.yaml create mode 100644 group_vars/git-ci.yaml diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml new file mode 100644 index 0000000..5a9ca68 --- /dev/null +++ b/group_vars/fotos.yaml @@ -0,0 +1,6 @@ +root_access: + - ak + - foobar + - linor + - polyfloyd + - wilco diff --git a/group_vars/git-ci.yaml b/group_vars/git-ci.yaml new file mode 100644 index 0000000..18ed638 --- /dev/null +++ b/group_vars/git-ci.yaml @@ -0,0 +1 @@ +forgejo_url: https://git.bitlair.nl diff --git a/roles/git-ci/tasks/main.yaml b/roles/git-ci/tasks/main.yaml index 3565d0a..87bc533 100644 --- a/roles/git-ci/tasks/main.yaml +++ b/roles/git-ci/tasks/main.yaml @@ -21,7 +21,7 @@ mode: 0755 - name: Register runner - command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ forgejo_runner_token }}" + command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" args: chdir: "{{ runner_wd }}" creates: "{{ runner_wd }}/.runner" diff --git a/roles/photos/templates/bambulab-fetch.sh b/roles/photos/templates/bambulab-fetch.sh index 080a3fa..1508ed3 100644 --- a/roles/photos/templates/bambulab-fetch.sh +++ b/roles/photos/templates/bambulab-fetch.sh @@ -4,8 +4,8 @@ set -eu -host={{ bambulab_host }} -pass={{ bambulab_key }} +host={{ lookup('passwordstore', 'fotos/bambulab subkey=host') }} +pass={{ lookup('passwordstore', 'fotos/bambulab subkey=key') }} dir={{ photos_path }} files=$(curl -ksl "ftps://bblp:$pass@$host:990/timelapse/" | grep ^video_) diff --git a/roles/services/templates/discord-bot.service b/roles/services/templates/discord-bot.service index f93dbc7..2c73d05 100644 --- a/roles/services/templates/discord-bot.service +++ b/roles/services/templates/discord-bot.service @@ -11,8 +11,8 @@ RestartSec=10s ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/main.py DynamicUser=true Environment="MQTT_HOST={{ mqtt_internal_host }}" -Environment="DISCORD_WEBHOOK_URL={{ discord_webhook_url }}" -Environment="DISCORD_TOKEN={{ discord_token }}" +Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}" +Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}" [Install] WantedBy=multi-user.target diff --git a/roles/services/templates/mastodon-spacestate-config.py b/roles/services/templates/mastodon-spacestate-config.py index 1af7626..cf9fae4 100644 --- a/roles/services/templates/mastodon-spacestate-config.py +++ b/roles/services/templates/mastodon-spacestate-config.py @@ -10,5 +10,5 @@ open_profile_field = 'Open! @ {}' closed_profile_field = 'Closed @ {}' profile_fields = [('Website', 'https://bitlair.nl/')] -access_token = '{{ mastodon_spacestate_access_token }}' +access_token = '{{ lookup('passwordstore', 'services/mastodon subkey=spacestate_access_token') }}' homeserver = 'https://hsnl.social' diff --git a/roles/services/templates/wifi-mqtt.service b/roles/services/templates/wifi-mqtt.service index 1eeaa77..060f688 100644 --- a/roles/services/templates/wifi-mqtt.service +++ b/roles/services/templates/wifi-mqtt.service @@ -8,8 +8,8 @@ Restart=on-failure RestartSec=2s ExecStart=/var/lib/wifi-mqtt/wifi-mqtt.py DynamicUser=true -Environment="ARUBA_INSTANT_IP={{ wifi_mqtt_snmp_ip }}" -Environment="ARUBA_INSTANT_PASSWORD={{ wifi_mqtt_snmp_password }}" +Environment="ARUBA_INSTANT_IP={{ lookup('passwordstore', 'services/wifi_mqtt', subkey='snmp_ip') }}" +Environment="ARUBA_INSTANT_PASSWORD={{ lookup('passwordstore', 'services/wifi_mqtt', subkey='snmp_password') }}" [Install] WantedBy=multi-user.target