From 59217d0bab8aabd0075ede53a914f057f11965c6 Mon Sep 17 00:00:00 2001
From: Markus Katharina Brechtel <markus.katharina.brechtel@thengo.net>
Date: Thu, 7 May 2020 13:33:25 +0200
Subject: [PATCH] stateless secret management

---
 defaults/main.yaml     |  1 +
 tasks/local_facts.yaml | 17 +++++++++++++++++
 tasks/main.yaml        | 16 ++++++++++++++++
 vars/main.yaml         |  4 ++++
 4 files changed, 38 insertions(+)
 create mode 100644 tasks/local_facts.yaml

diff --git a/defaults/main.yaml b/defaults/main.yaml
index a0026a1..64909cc 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1,4 +1,5 @@
 ---
 buildbot_worker_name: buildbot-worker
+buildbot_worker_password: "{{ ansible_local[_local_facts_id].worker_password }}"
 buildbot_worker_admin_info: ""
 buildbot_worker_host_info: ""
diff --git a/tasks/local_facts.yaml b/tasks/local_facts.yaml
new file mode 100644
index 0000000..b494c74
--- /dev/null
+++ b/tasks/local_facts.yaml
@@ -0,0 +1,17 @@
+---
+
+- name: ansible local facts directory
+  file:
+    path: /etc/ansible/facts.d
+    state: directory
+
+- name: set ansible local fact
+  copy:
+    content: "{{_local_facts|to_json}}"
+    dest: /etc/ansible/facts.d/{{_local_facts_id}}.fact
+    mode: 0600
+  register: _local_facts_set
+
+- name: Gathering Facts
+  setup:
+  when: _local_facts_set.changed
diff --git a/tasks/main.yaml b/tasks/main.yaml
index 5a2fcb6..8048ad0 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -1,5 +1,7 @@
 ---
 
+- import_tasks: local_facts.yaml
+
 - name: pip3 packages for buildbot-worker
   pip:
     name:
@@ -49,6 +51,20 @@
     creates: /var/lib/buildbot-worker/{{buildbot_worker_name}}/worker
   notify: restart buildbot-worker service
 
+- name: buildbot-worker name
+  lineinfile:
+    path: /var/lib/buildbot-worker/{{buildbot_worker_name}}/worker/buildbot.tac
+    regexp: '^workername *='
+    line: workername = '{{buildbot_worker_name}}'
+  notify: restart buildbot-worker service
+
+- name: buildbot-worker password
+  lineinfile:
+    path: /var/lib/buildbot-worker/{{buildbot_worker_name}}/worker/buildbot.tac
+    regexp: '^passwd *='
+    line: passwd = '{{buildbot_worker_password}}'
+  notify: restart buildbot-worker service
+
 - name: buildbot-worker host info
   copy:
     content: "{{buildbot_worker_host_info}}"
diff --git a/vars/main.yaml b/vars/main.yaml
index 1cdc2b5..5e82df0 100644
--- a/vars/main.yaml
+++ b/vars/main.yaml
@@ -1,4 +1,8 @@
 ---
+_local_facts_id: buildbot_worker_{{buildbot_worker_name}}
+_local_facts:
+  worker_password: "{% if not ansible_local[_local_facts_id].worker_password is defined %}{{ lookup('password', '/dev/null length=16 chars=ascii_letters') }}{% else %}{{ ansible_local[_local_facts_id].worker_password }}{% endif %}"
+
 buildbot_worker_user: "{{ buildbot_worker_name }}"
 buildbot_worker_group: "{{ buildbot_worker_name }}"
 buildbot_worker_home_directory: "/var/lib/buildbot-worker/{{ buildbot_worker_name }}"