[vault] Changing cranspasswords to pass crans

.gitignore

@@ -4,3 +4,4 @@ __pycache__
 env/
 # ignore dummy_playbook
 debug.yml
+group_vars/all/vault.yml

ansible.cfg

@@ -5,7 +5,6 @@
 # Explicitely redefined some defaults to make play execution work
 roles_path = ./roles
 action_plugins = ./action_plugins
-vars_plugins = ./vars_plugins
 lookup_plugins = ./lookup_plugins
 
 # Do not create .retry files

group_vars/all/vars.yaml

@@ -40,8 +40,8 @@ adm_subnet: 10.231.136.0/24
 #
 # re2o:
 #   server: re2o.adm.crans.org
-#   service_user: "{{ vault_re2o_service_user }}"
-#   service_password: "{{ vault_re2o_service_password }}"
+#   service_user: "{{ vault.re2o_service_user }}"
+#   service_password: "{{ vault.re2o_service_password }}"
 #
 #
 # # global server definitions

group_vars/all/vault.yml

@@ -0,0 +1 @@
+vault: "{{ lookup('pipe', 'pass show crans/ansible_vault') | from_yaml }}"

group_vars/certbot.yml

@@ -2,7 +2,7 @@
 glob_certbot:
   - dns_rfc2136_server: '172.16.10.147'
     dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
     mail: root@crans.org
     certname: crans.org
     domains: "crans.org"

group_vars/dhcp.yml

@@ -67,7 +67,7 @@ glob_re2o_services:
   server: re2o.adm.crans.org
   service:
     user: services
-    password: "{{ vault_re2o_service_password }}"
+    password: "{{ vault.re2o_service_password }}"
   mail_server: "{{ glob_smtp }}"
 
 glob_re2o_dhcp:

group_vars/django_cas.yml

@@ -11,13 +11,13 @@ glob_django_cas:
     - auth.adm.crans.org
   ldap:
     dn: 'cn=Utilisateurs,dc=crans,dc=org'
-    password: "{{ vault_cas_ldap_password }}"
+    password: "{{ vault.cas_ldap_password }}"
     user: 'cn=cas,ou=service-users,dc=crans,dc=org'
     server: 172.16.10.157
   db:
     host: tealc.adm.crans.org
-    password: "{{ vault_cas_database_password }}"
-  secret_key: "{{ vault_cas_secret_key }}"
+    password: "{{ vault.cas_database_password }}"
+  secret_key: "{{ vault.cas_secret_key }}"
   reverse_proxy:
     - '10.231.136.0/24'
     - '2a0c:700:0:2::/64'

group_vars/framadate.yml

@@ -6,6 +6,6 @@ glob_framadate:
   repo: https://framagit.org/framasoft/framadate/framadate.git
   version: "1.1.11"
   admin_username: framadate
-  admin_password: "{{ vault_framadate_password }}"
-  db_password: "{{ vault_framadate_password_db }}"
+  admin_password: "{{ vault.framadate_password }}"
+  db_password: "{{ vault.framadate_password_db }}"
 

group_vars/horde.yml

@@ -1,5 +1,5 @@
 glob_horde:
-  secret: '{{ vault_horde_secret }}'
+  secret: '{{ vault.horde_secret }}'
   imap: imap.adm.crans.org
   smtp: smtp.adm.crans.org
   maildomain: crans.org

group_vars/re2o.yml

@@ -1,7 +1,7 @@
 ---
 glob_re2o:
-  django_secret_key: "{{ vault_re2o_django_secret_key }}"
-  aes_key: "{{ vault_re2o_aes_key }}"
+  django_secret_key: "{{ vault.re2o_django_secret_key }}"
+  aes_key: "{{ vault.re2o_aes_key }}"
   admins:
     - ('Root', 'root@crans.org')
   allowed_hosts:
@@ -9,9 +9,9 @@ glob_re2o:
     - 'intranet.adm.crans.org'
   from_email: "root@crans.org"
   ldap:
-    master_password: "{{ vault_ldap_master_password }}"
+    master_password: "{{ vault.ldap_master_password }}"
     uri: "ldap://re2o-ldap.adm.crans.org/"
     dn: "cn=admin,dc=crans,dc=org"
   database:
-      password: "{{ vault_re2o_db_password }}"
+      password: "{{ vault.re2o_db_password }}"
       uri: "tealc.adm.crans.org"

group_vars/reverseproxy.yml

@@ -1,6 +1,6 @@
 certbot:
   dns_rfc2136_name: certbot_challenge.
-  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
   mail: root@crans.org
   certname: crans.org
   domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

group_vars/roundcube.yml

@@ -4,7 +4,7 @@ roundcube_glob:
   smtp_server: smtp.adm.crans.org
   pgsql_server: pgsql.adm.crans.org
   mail_domain: crans.org
-  des_key: "{{ vault_roundcube_des_key }}"
+  des_key: "{{ vault.roundcube_des_key }}"
   plugins:
     - repo: 'https://gitlab.crans.org/nounous/roundcube-intranet.git'
       name: intranet

group_vars/slapd.yml

@@ -2,6 +2,6 @@
 glob_slapd:
   master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
   regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
-  replication_credentials: "{{ vault_ldap_replication_credentials }}"
-  private_key: "{{ vault_ldap_private_key }}"
-  certificate: "{{ vault_ldap_certificate }}"
+  replication_credentials: "{{ vault.ldap_replication_credentials }}"
+  private_key: "{{ vault.ldap_private_key }}"
+  certificate: "{{ vault.ldap_certificate }}"

host_vars/gitzly.adm.crans.org.yml

@@ -6,14 +6,14 @@ interfaces:
 loc_certbot:
   - dns_rfc2136_server: '172.16.10.147'
     dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
     mail: root@crans.org
     certname: crans.org
     domains: "*.crans.org"
 
   - dns_rfc2136_server: '172.16.10.147'
     dns_rfc2136_name: certbot_adm_challenge.
-    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
     mail: root@crans.org
     certname: adm.crans.org
     domains: "*.adm.crans.org"

host_vars/hodaur.adm.crans.org.yml

@@ -6,7 +6,7 @@ interfaces:
 loc_certbot:
   - dns_rfc2136_server: '172.16.10.147'
     dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
     mail: root@crans.org
     certname: crans.org
     domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

host_vars/owncloud.adm.crans.org.yml

@@ -6,6 +6,6 @@ interfaces:
 
 loc_ldap:
   base_dn: "cn=admin,dc=crans,dc=org"
-  password: "{{ vault_ldap_master_password }}"
+  password: "{{ vault.ldap_master_password }}"
   uri: "ldap://172.16.10.157"
 

host_vars/zamok.adm.crans.org.yml

@@ -6,4 +6,4 @@ loc_borg:
     - type: mysql_databases
       params:
         - "- name: all"
-        - "  password: {{ vault_mysql_zamok_password }}"
+        - "  password: {{ vault.mysql_zamok_password }}"

plays/dns.yml

@@ -8,8 +8,8 @@
 # Deploy authoritative DNS server
 - hosts: dns_authoritative
   vars:
-    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
-    certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
+    certbot_dns_secret: "{{ vault.certbot_dns_secret }}"
+    certbot_adm_dns_secret: "{{ vault.certbot_adm_dns_secret }}"
     bind:
       masters: "{{ query('ldap', 'role', 'dns-primary') }}"
       slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
@@ -22,7 +22,7 @@
   vars:
     re2o:
       server: re2o.adm.crans.org
-      service_user: "{{ vault_re2o_service_user }}"
-      service_password: "{{ vault_re2o_service_password }}"
+      service_user: "{{ vault.re2o_service_user }}"
+      service_password: "{{ vault.re2o_service_password }}"
   roles:
     - dns

plays/firewall.yml

@@ -33,8 +33,8 @@
   vars:
     re2o:
       server: re2o.adm.crans.org
-      service_user: "{{ vault_re2o_service_user }}"
-      service_password: "{{ vault_re2o_service_password }}"
+      service_user: "{{ vault.re2o_service_user }}"
+      service_password: "{{ vault.re2o_service_password }}"
   roles:
     - firewall
 

plays/generate_documentation.yml

@@ -3,8 +3,8 @@
 # Document servers
 - hosts: server
   vars:
-    moinmoin_user: "{{ vault_moinmoin_user }}"
-    moinmoin_password: "{{ vault_moinmoin_password }}"
+    moinmoin_user: "{{ vault.moinmoin_user }}"
+    moinmoin_password: "{{ vault.moinmoin_password }}"
     moinmoin_base_url: https://wiki.crans.org/CransTechnique/LesServeurs
   roles:
     - moinmoin-gendoc

plays/home.yml

@@ -4,7 +4,7 @@
   vars:
     home:
       ldap_server: ldap://re2o-ldap.adm.crans.org
-      ldap_password: "{{ vault_ldap_home_password }}"
+      ldap_password: "{{ vault.ldap_home_password }}"
       binddn: cn=home,ou=service-users,dc=crans,dc=org
       rootdn: cn=Utilisateurs,dc=crans,dc=org
   roles:

plays/mailman.yml

@@ -31,11 +31,11 @@
   vars:
     mailman3:
       site_owner: root@crans.org
-      database_pass: "{{ vault_mailman3_database_pass }}"
-      restadmin_pass: "{{ vault_mailman3_restadmin_pass }}"
-      archiver_key: "{{ vault_mailman3_archiver_key }}"
-      web_secret_key: "{{ vault_mailman3_web_secret_key }}"
-      web_database_pass: "{{ vault_mailman3_web_database_pass }}"
+      database_pass: "{{ vault.mailman3_database_pass }}"
+      restadmin_pass: "{{ vault.mailman3_restadmin_pass }}"
+      archiver_key: "{{ vault.mailman3_archiver_key }}"
+      web_secret_key: "{{ vault.mailman3_web_secret_key }}"
+      web_database_pass: "{{ vault.mailman3_web_database_pass }}"
       web_domain: "mailman.crans.org"
   roles:
     - mailman3

plays/monitoring.yml

@@ -42,8 +42,8 @@
       bird_targets:
         - routeur-sam.adm.crans.org
 
-    snmp_procurve_password: "{{ vault_snmp_procurve_password }}"
-    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_procurve_password: "{{ vault.snmp_procurve_password }}"
+    snmp_unifi_password: "{{ vault.snmp_unifi_password }}"
 
     grafana:
       root_url: https://grafana.crans.org

plays/postfix.yml

@@ -6,14 +6,14 @@
     certbot:
       - dns_rfc2136_server: '172.16.10.147'
         dns_rfc2136_name: certbot_challenge.
-        dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+        dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
         mail: root@crans.org
         certname: crans.org
         domains: "*.crans.org"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
     opendkim:
-        private_key: "{{ vault_opendkim_private_key }}"
+        private_key: "{{ vault.opendkim_private_key }}"
     policyd:
       mail: root@crans.org
       exemptions: "{{ lookup('re2oapi', 'get_role', 'user-server')[0] }}"

plays/wireguard.yml

@@ -6,8 +6,8 @@
     debian_mirror: http://mirror.crans.org/debian
     wireguard:
       sputnik: true
-      private_key: "{{ vault_wireguard_sputnik_private_key }}"
-      peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
+      private_key: "{{ vault.wireguard_sputnik_private_key }}"
+      peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
   roles:
     - wireguard
 
@@ -18,7 +18,7 @@
     wireguard:
       sputnik: false
       if: ens18
-      private_key: "{{ vault_wireguard_boeing_private_key }}"
-      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
+      private_key: "{{ vault.wireguard_boeing_private_key }}"
+      peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
   roles:
     - wireguard

re2o.yml

@@ -7,8 +7,8 @@
   vars:
     re2o:
       server: re2o.adm.crans.org
-      service_user: "{{ vault_re2o_service_user }}"
-      service_password: "{{ vault_re2o_service_password }}"
+      service_user: "{{ vault.re2o_service_user }}"
+      service_password: "{{ vault.re2o_service_password }}"
     mail_server: smtp.adm.crans.org
   roles:
     - re2o-services

roles/borgbackup-client/templates/borgmatic/config.yaml.j2

@@ -27,7 +27,7 @@ location:
     borgmatic_source_directory: /tmp/borgmatic
 
 storage:
-    encryption_passphrase: {{ vault_borgbackup_passwd }}
+    encryption_passphrase: {{ vault.borgbackup_passwd }}
     ssh_command: ssh -i /etc/borgmatic/id_ed25519_borg
     borg_base_directory: /etc/borgmatic
     borg_config_directory: /etc/borgmatic/config/

roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2

@@ -1 +1 @@
-{{ vault_borgbackup_ssh_privkey }}
+{{ vault.borgbackup_ssh_privkey }}

roles/borgbackup-server/templates/authorized_keys.j2

@@ -1,3 +1,3 @@
 {{ ansible_header | comment }}
 
-command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault_borgbackup_ssh_pubkey }}
+command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault.borgbackup_ssh_pubkey }}

roles/dovecot/templates/dovecot/dovecot-ldap.conf.ext.j2

@@ -25,7 +25,7 @@ uris = {{ ldap.uri }}
 dn = {{ dovecot.ldap_dn }}
 
 # Password for LDAP server, if dn is specified.
-dnpass = {{ vault_dovecot_dnpass }}
+dnpass = {{ vault.dovecot_dnpass }}
 
 # Use SASL binding instead of the simple binding. Note that this changes
 # ldap_version automatically to be 3 if it's lower. Also note that SASL binds

vars_plugins/vault_cranspasswords.ini

@@ -1,6 +0,0 @@
-# Ansible Vault CransPasswords settings
-#
-
-[cranspasswords]
-#: Commande exécutée sur le client pour appeler le script sur le serveur distant.
-server_cmd=/usr/bin/env ssh tealc.adm.crans.org sudo -n /usr/local/bin/cpasswords-server

vars_plugins/vault_cranspasswords.py

@@ -1,139 +0,0 @@
-#!/usr/bin/env python
-
-# (c) 2019 Cr@ns <roots@crans.org>
-# Authors : Alexandre IOOSS <erdnaxe@crans.org>
-# Based on cranspasswords by : Daniel Stan <daniel.stan@crans.org>
-#                             Vincent Le Gallic <legallic@crans.org>
-#
-# This file is part of Cr@ns ansible deployment
-
-"""
-Ansible Vault CransPasswords script.
-========================================
-
-Returns Ansible variables gpg encrypted and stored within cranspasswords.
-See https://gitlab.crans.org/nounous/cranspasswords
-
-Configuration is read from `vault_cranspasswords.ini`.
-"""
-
-import json
-import os
-import subprocess
-import sys
-
-from ansible.errors import AnsibleError, AnsibleParserError
-from ansible.module_utils._text import to_native
-from ansible.module_utils.six.moves import configparser
-from ansible.plugins.vars import BaseVarsPlugin
-
-DOCUMENTATION = '''
-    module: vault_cranspasswords
-    vars: vault_cranspasswords
-    version_added: "2.7"
-    short_description: In charge of loading variables stored within cranspasswords
-    description:
-        - Works exactly as a vault, loading variables from cranspasswords.
-        - Decrypts the YAML file `ansible_vault` from cranspasswords.
-        - Loads the secret variables.
-        - Makes use of data caching in order to avoid calling cranspasswords multiple times.
-        - Uses the local gpg key from the user running ansible on the Control node.
-    options: {}
-'''
-
-
-class VarsModule(BaseVarsPlugin):
-    @staticmethod
-    def gpg_decrypt(crypt_text):
-        """
-        Decrypt the text in argument using gpg.
-        """
-        full_command = ['gpg', '-d']
-        proc = subprocess.Popen(full_command,
-                                stdin=subprocess.PIPE,
-                                stdout=subprocess.PIPE,
-                                stderr=sys.stderr,
-                                close_fds=True)
-        proc.stdin.write(crypt_text.encode())
-        proc.stdin.close()
-        clear_text = proc.stdout.read().decode()
-        return clear_text
-
-    def getfile_command(self, filename):
-        """
-        Run the command on the remote cranspasswords server, and return the output.
-        """
-        # Get full command from settings file
-        try:
-            command = self.config.get('cranspasswords', 'server_cmd').split(" ")
-        except configparser.NoSectionError as e:
-            raise AnsibleParserError(to_native(e))
-        command.append("getfiles")
-        proc = subprocess.Popen(
-            command,
-            stdin=subprocess.PIPE,
-            stdout=subprocess.PIPE,
-            stderr=sys.stderr,
-            close_fds=True
-        )
-        proc.stdin.write(json.dumps([filename]).encode())
-        proc.stdin.flush()
-
-        raw_out, raw_err = proc.communicate()
-        ret = proc.returncode
-
-        if ret != 0:
-            raise AnsibleError("Bad return code on the serveur side")
-        try:
-            answer = json.loads(raw_out.strip())
-            return answer[0]
-        except ValueError:
-            raise AnsibleError("Unable to parse the result")
-
-    def get_encrypted(self, filename):
-        """
-        Get encrypted content of a cranspasswords file
-        """
-        gotit, value = self.getfile_command(filename) # if not gotit, value contains the error message
-        if not gotit:
-            raise AnsibleError("Unable to get the file : {}".format(to_native(value)))
-        else:
-            crypt_text = value['contents']
-            return crypt_text
-
-    def __init__(self):
-        super().__init__()
-
-        # Load config
-        self.config = configparser.ConfigParser()
-        self.config.read(os.path.dirname(os.path.realpath(__file__))
-                         + '/vault_cranspasswords.ini')
-
-    def get_vars(self, loader, path, entities):
-        """
-        Get all vars for entities, called by Ansible.
-
-        loader: Ansible's DataLoader.
-        path: Current play's playbook directory.
-        entities: Host or group names pertinent to the variables needed.
-        """
-        # VarsModule objects are called every time you need host vars, per host,
-        # and per group the host is part of.
-        # It is about 6 times per host per task in current state
-        # of Ansible Crans configuration.
-
-        # It is way to much.
-        # So we cache the data into the DataLoader (see parsing/DataLoader).
-
-        super().get_vars(loader, path, entities)
-
-        if 'cranspasswords' not in loader._FILE_CACHE:
-            # Get text then decrypt and return
-            crypt_text = self.get_encrypted('ansible_vault')
-            clear_text = self.gpg_decrypt(crypt_text)
-            data = loader.load(clear_text)
-            loader._FILE_CACHE['cranspasswords'] = data
-        else:
-            data = loader._FILE_CACHE['cranspasswords']
-
-        return data