feat: Renames vault-gopass to vault-gopass-client

fix: Fixes ansible config and environment variables to utilize the vault-gopass-client file
feat: Edits ansible config to use the vault-gopass script
2026-02-15 22:52:37 +00:00 · 2024-11-27 10:03:41 -05:00 · 2024-11-27 10:02:12 -05:00 · 2024-11-27 08:54:38 -05:00 · 2024-11-27 08:47:45 -05:00 · 2024-11-27 07:53:26 -05:00
3 changed files with 84 additions and 6 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -261,10 +261,10 @@ roles_path={{ ANSIBLE_HOME ~ "~/.local/ansible/roles:/roles:/usr/share/ansible/r
 ;vars_plugins={{ ANSIBLE_HOME ~ "/plugins/vars:/usr/share/ansible/plugins/vars" }}
 # (string) The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The --encrypt-vault-id cli option overrides the configured value.
-;vault_encrypt_identity=
+vault_encrypt_identity=michael
 # (string) The label to use for the default vault id label in cases where a vault id label is not provided
-;vault_identity=default
+vault_identity=michael
 # (list) A list of vault-ids to use by default. Equivalent to multiple --vault-id args. Vault-ids are tried in order.
 ;vault_identity_list=
@@ -274,7 +274,7 @@ roles_path={{ ANSIBLE_HOME ~ "~/.local/ansible/roles:/roles:/usr/share/ansible/r
 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
-vault_password_file=~/.local/ansible/.vaultpwd
+vault_password_file=~/.local/share/scripts/vault-gopass
 # (integer) Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line.
 ;verbosity=0
@@ -982,4 +982,3 @@ cache_dir=~/.cache/ansible
 # Setting this option to V(inventory) will only run the vars plugin after parsing inventory.
 # If this option is omitted, the global C(RUN_VARS_PLUGINS) configuration is used to determine when to execute the vars plugin.
 ;stage=
--- a/scripts/scripts/vault-gopass-client
+++ b/scripts/scripts/vault-gopass-client
@@ -0,0 +1,79 @@
 #!/usr/bin/env zsh
 #
 # An adapter script to use gopass to store and retrieve passwords for ansible vault.
 #
 # When calling from ansible vault it get's passed --vault-id [ID] which is the id
 # of the secret to retrieve.
 #
 local secretPath="ansible"
 function usage() {
  cat <<EOF
  An adapter script that integrates gopass as storage for ansible vault id's.
  To retreive a secret based on the vault id, then pass the '--vault-id' flag with an
  associated [ID] to look for. (This is generally handled / passed in by the ansible-vault
  command)
  You can also call this script with the '--set' flag and an [ID] argument
  to create a new secret for the given id.  The default behavior of the
  set option is to prompt for the secret, you can optionally pass the '--generate'
  flag to automatically generate a secret.  If an [ID] argument is not supplied to
  the set option then we will prompt for the id to store the secret under.
  Secrets are stored in the default password store at '$secretPath/<ID>'.
  Usage: vault-gopass-client [-s | --set] [-g | --generate] [--vault-id <ID>] [ID]
      -s | --set:         Set a new secret for the given ID.
      -g | --generate:    Used with the set option to automatically generate the secret.
      --vault-id <ID>:    Used to retrieve a secret for the given ID.
      -h | --help:        Show this usage message.
  Examples:
    # Automatically generate a secret for the 'foo' id.
    $ vault-gopass --set --generate foo
    # Retrieve the secret for 'foo' and print it to stdout.
    $ vault-gopass --vault-id foo
 EOF
 }
 # parse the passed in options, failing if unrecognized options are given.
 zparseopts -D -E -F - \
  g=generateFlag -generate=generateFlag \
  h=helpFlag -help=helpFlag \
  s=setFlag -set=setFlag \
  -vault-id:=vaultId \
  || exit 1
 # check for the help flag, show usage and exit.
 [ ${#helpFlag} = 1 ] && usage && exit 0
 if [ ${#vaultId} = 2 ]; then
  # we received the vault-id option, so we print the
  # secret to stdout
  password=$(gopass show --password "$secretPath/${vaultId[-1]}")
  echo "$password"
  exit 0
 elif [ ${#setFlag} = 1 ]; then
  # Use the first argument as the id, we ask for an id
  # if not supplied.
  local id=$1
  if [ "$id" = "" ]; then
    read -r id\?"Vault ID: "
  fi
  # Check for generate flag to automatically generate a password.
  [ ${#generateFlag} = 1 ] \
    && gopass generate "$secretPath/$id" 24 \
    && exit 0
  # Insert a password prompting the user to supply it.
  gopass insert "$secretPath/$id"
 fi
--- a/zsh/config/.zshenv
+++ b/zsh/config/.zshenv
@@ -78,8 +78,8 @@ export VAULT_ADDR="https://vault.housh.dev"
 # Ansible
 export ANSIBLE_HOME="$XDG_CONFIG_HOME/ansible"
-export ANSIBLE_VAULT_PASSWORD_FILE="$XDG_DATA_HOME/ansible/.vaultpwd"
+export ANSIBLE_VAULT_PASSWORD_FILE="$SCRIPTS/vault-gopass-client"
-export DEFAULT_VAULT_PASSWORD_FILE="$XDG_DATA_HOME/ansible/.vaultpwd"
+export DEFAULT_VAULT_PASSWORD_FILE="$SCRIPTS/vault-gopass-client"
 # Tmux-Sessionator path.
 export TMUX_SESSIONATOR_PATH="$HOME:$SCRIPTS:$LOCAL_REPOS:$REPOS:$ANSIBLE_LOCAL:$GHREPOS:$HVACIOTREPOS"
Author	SHA1	Message	Date
Michael Housh	5f45954d98	feat: Renames vault-gopass to vault-gopass-client	2024-11-27 10:03:41 -05:00
Michael Housh	4fb2b70004	fix: Fixes ansible config and environment variables to utilize the vault-gopass-client file	2024-11-27 10:02:12 -05:00
Michael Housh	a86116056f	feat: Edits ansible config to use the vault-gopass script	2024-11-27 08:54:38 -05:00
Michael Housh	f43cd2c543	feat: Finishes vault-gopass script	2024-11-27 08:47:45 -05:00
Michael Housh	48d0e16f6a	feat: Begins vault-gopass script	2024-11-27 07:53:26 -05:00