diff --git a/defaults/main.yaml b/defaults/main.yaml index ed97d53..3eca9af 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1 +1,10 @@ --- + +secrets: {} + +secrets_definitions: {} + +secrets_default_store: facts +secrets_default_generator: password +secrets_default_password_length: 24 +secrets_default_password_chars: ascii_letters,digits diff --git a/tasks/main.yaml b/tasks/main.yaml index ed97d53..5012a9d 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1 +1,18 @@ --- + +- name: secret pre-store debug + debug: + msg: + secrets: "{{ secrets }}" + secrets_set: "{{ secrets_set }}" + secrets_reset: "{{ secrets_reset }}" + secrets_set_by_store: "{{ secrets_set_by_store }}" + secrets_reset_by_store: "{{ secrets_reset_by_store }}" + +- import_tasks: store/facts.yaml +- import_tasks: store/local_facts.yaml + +- name: secret post-store debug + debug: + msg: + secrets: "{{ secrets }}" diff --git a/tasks/store/facts.yaml b/tasks/store/facts.yaml new file mode 100644 index 0000000..2e62534 --- /dev/null +++ b/tasks/store/facts.yaml @@ -0,0 +1,5 @@ +--- + +- name: set secrets in facts + set_fact: + secrets: "{{ secrets_set_by_store.facts | combine(secrets) | combine(secrets_reset_by_store.facts) }}" diff --git a/tasks/store/local_facts.yaml b/tasks/store/local_facts.yaml new file mode 100644 index 0000000..e3ebdf1 --- /dev/null +++ b/tasks/store/local_facts.yaml @@ -0,0 +1,25 @@ +--- + +# TODO remove secrets that are defined for other stores + +- name: ansible local facts directory + file: + path: /etc/ansible/facts.d + state: directory + +- name: save secrets in ansible local secrets fact + copy: + content: "{{ secrets_set_by_store.local_facts | combine(ansible_local.secrets | default({})) | combine(secrets_reset_by_store.local_facts) | to_json }}" + dest: /etc/ansible/facts.d/secrets.fact + mode: 0600 + register: _local_facts_set + +- name: gathering ansible local facts + setup: + gather_subset: min + filter: ansible_local + when: _local_facts_set.changed + +- name: set secrets gathered from ansible local secrets fact + set_fact: + secrets: "{{ secrets | combine(ansible_local.secrets) }}" diff --git a/vars/main.yaml b/vars/main.yaml index ed97d53..9e6be75 100644 --- a/vars/main.yaml +++ b/vars/main.yaml @@ -1 +1,58 @@ --- +secrets_generators: + - password + #- xkcd + +secrets_stores: + - facts + - local_facts + +secrets_set: |- + { + {% for secret_name in secrets_definitions.keys() %} + {% set secrets_definition = secrets_definitions[secret_name] %} + {% set password_length = secrets_definition.password_length | default(secrets_default_password_length) | string %} + {% set password_chars = secrets_definition.password_chars|default(secrets_default_password_chars) %} + {{secret_name|to_json}}: + {{ lookup('password', '/dev/null length='+password_length+' chars='+password_chars ) | to_json }} + , + {% endfor %} + } + +secrets_reset: |- + { + {% for secret_name in secrets_definitions.keys() %} + {% set secrets_definition = secrets_definitions[secret_name] %} + {% if secrets_definition.reset | default(false) %} + {{secret_name|to_json}}: {{ secrets_set[secret_name] | to_json }}, + {% endif %} + {% endfor %} + } + +secrets_set_by_store: |- + { + {% for store_name in secrets_stores %} + {{store_name|to_json}}: { + {% for secret_name in secrets_set.keys() %} + {% set secrets_definition = secrets_definitions[secret_name] %} + {% if store_name == secrets_definition.store | default(secrets_default_store) %} + {{secret_name|to_json}}: {{ secrets_set[secret_name] | to_json }}, + {% endif %} + {% endfor %} + }, + {% endfor %} + } + +secrets_reset_by_store: |- + { + {% for store_name in secrets_stores %} + {{store_name|to_json}}: { + {% for secret_name in secrets_reset.keys() %} + {% set secrets_definition = secrets_definitions[secret_name] %} + {% if store_name == secrets_definition.store | default(secrets_default_store) %} + {{secret_name|to_json}}: {{ secrets_reset[secret_name] | to_json }}, + {% endif %} + {% endfor %} + }, + {% endfor %} + }