From 8ee249272ad8c8644bd6cbe17c7ea54dd735b432 Mon Sep 17 00:00:00 2001
From: Tobias Petrich <tobias@rohrschacht.de>
Date: Sat, 27 Dec 2025 17:25:36 +0100
Subject: [PATCH] automate vault password retrieval

---
 .gitignore                        | 13 +-----
 ansible/ansible.cfg               |  3 ++
 ansible/lookup-secret-client.bash | 67 +++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 11 deletions(-)
 create mode 100644 ansible/ansible.cfg
 create mode 100755 ansible/lookup-secret-client.bash

diff --git a/.gitignore b/.gitignore
index 773d481..54fbdf9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,18 +10,9 @@ gen
 *.retry
 
 # custom
-inventory.txt
 *.iso
-gitea-db.container
-gitea-srv.container
-nextcloud-db.container
-nextcloud-srv.container
-paperless-db.container
-paperless-srv.container
-bookstack-db.container
-bookstack-srv.container
-sgnarva-srv.container
-sgnarva-db.container
 
 ansible/inventories/production/host_vars/*/vars.yml
 ansible/inventories/production/host_vars/*/vault.yml
+
+ansible/vault-passwords.gpg
\ No newline at end of file
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
new file mode 100644
index 0000000..f706229
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,3 @@
+[defaults]
+nocows=1
+vault_identity_list=podman_hosts@./lookup-secret-client.bash
diff --git a/ansible/lookup-secret-client.bash b/ansible/lookup-secret-client.bash
new file mode 100755
index 0000000..3e6b9e5
--- /dev/null
+++ b/ansible/lookup-secret-client.bash
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<EOF
+Usage: $0 --vault-id VAULT_ID
+
+Options:
+  --vault-id VALUE   (required) Vault ID to use
+EOF
+  exit 2
+}
+
+VAULT_ID=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --vault-id)
+      shift
+      [[ $# -gt 0 ]] || usage
+      VAULT_ID="$1"
+      shift
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage
+      ;;
+  esac
+done
+
+if [[ -z "$VAULT_ID" ]]; then
+  echo "Error: --vault-id is required" >&2
+  usage
+fi
+
+# Resolve repo root (script location)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR" && pwd)"
+
+VAULT_PASSWORDS_GPG="$REPO_ROOT/vault-passwords.gpg"
+
+# 1. Prefer GPG-encrypted vault-passwords file if present
+if [[ -f "$VAULT_PASSWORDS_GPG" ]]; then
+  PASSWORD="$(
+    gpg --quiet --decrypt "$VAULT_PASSWORDS_GPG" \
+    | awk -v id="$VAULT_ID" '$1 == id { print $2; exit }'
+  )"
+
+  if [[ -n "$PASSWORD" ]]; then
+    printf '%s\n' "$PASSWORD"
+    exit 0
+  fi
+
+  echo "Error: Vault ID '$VAULT_ID' not found in vault-passwords.gpg" >&2
+  exit 1
+fi
+
+# 2. Fallback to secret-tool
+PASSWORD="$(secret-tool lookup ansible-vault-id "$VAULT_ID" || true)"
+
+if [[ -n "$PASSWORD" ]]; then
+  printf '%s\n' "$PASSWORD"
+  exit 0
+fi
+
+echo "Error: No password found for vault ID '$VAULT_ID'" >&2
+exit 1