diff --git a/scripts/scripts/vault-gopass-client b/scripts/scripts/vault-gopass-client new file mode 100755 index 0000000..5b0b1db --- /dev/null +++ b/scripts/scripts/vault-gopass-client @@ -0,0 +1,79 @@ +#!/usr/bin/env zsh +# +# An adapter script to use gopass to store and retrieve passwords for ansible vault. +# +# When calling from ansible vault it get's passed --vault-id [ID] which is the id +# of the secret to retrieve. +# + +local secretPath="ansible" + +function usage() { + cat <'. + + Usage: vault-gopass-client [-s | --set] [-g | --generate] [--vault-id ] [ID] + + -s | --set: Set a new secret for the given ID. + -g | --generate: Used with the set option to automatically generate the secret. + --vault-id : Used to retrieve a secret for the given ID. + -h | --help: Show this usage message. + + Examples: + + # Automatically generate a secret for the 'foo' id. + $ vault-gopass --set --generate foo + + # Retrieve the secret for 'foo' and print it to stdout. + $ vault-gopass --vault-id foo + +EOF +} + +# parse the passed in options, failing if unrecognized options are given. +zparseopts -D -E -F - \ + g=generateFlag -generate=generateFlag \ + h=helpFlag -help=helpFlag \ + s=setFlag -set=setFlag \ + -vault-id:=vaultId \ + || exit 1 + +# check for the help flag, show usage and exit. +[ ${#helpFlag} = 1 ] && usage && exit 0 + +if [ ${#vaultId} = 2 ]; then + # we received the vault-id option, so we print the + # secret to stdout + password=$(gopass show --password "$secretPath/${vaultId[-1]}") + echo "$password" + exit 0 +elif [ ${#setFlag} = 1 ]; then + + # Use the first argument as the id, we ask for an id + # if not supplied. + local id=$1 + if [ "$id" = "" ]; then + read -r id\?"Vault ID: " + fi + + # Check for generate flag to automatically generate a password. + [ ${#generateFlag} = 1 ] \ + && gopass generate "$secretPath/$id" 24 \ + && exit 0 + + # Insert a password prompting the user to supply it. + gopass insert "$secretPath/$id" +fi