automate vault password retrieval

.gitignore

@@ -10,18 +10,9 @@ gen
 *.retry
 
 # custom
-inventory.txt
 *.iso
-gitea-db.container
-gitea-srv.container
-nextcloud-db.container
-nextcloud-srv.container
-paperless-db.container
-paperless-srv.container
-bookstack-db.container
-bookstack-srv.container
-sgnarva-srv.container
-sgnarva-db.container
 
 ansible/inventories/production/host_vars/*/vars.yml
 ansible/inventories/production/host_vars/*/vault.yml
+
+ansible/vault-passwords.gpg

ansible/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+nocows=1
+vault_identity_list=podman_hosts@./lookup-secret-client.bash

ansible/lookup-secret-client.bash

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<EOF
+Usage: $0 --vault-id VAULT_ID
+
+Options:
+  --vault-id VALUE   (required) Vault ID to use
+EOF
+  exit 2
+}
+
+VAULT_ID=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --vault-id)
+      shift
+      [[ $# -gt 0 ]] || usage
+      VAULT_ID="$1"
+      shift
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage
+      ;;
+  esac
+done
+
+if [[ -z "$VAULT_ID" ]]; then
+  echo "Error: --vault-id is required" >&2
+  usage
+fi
+
+# Resolve repo root (script location)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR" && pwd)"
+
+VAULT_PASSWORDS_GPG="$REPO_ROOT/vault-passwords.gpg"
+
+# 1. Prefer GPG-encrypted vault-passwords file if present
+if [[ -f "$VAULT_PASSWORDS_GPG" ]]; then
+  PASSWORD="$(
+    gpg --quiet --decrypt "$VAULT_PASSWORDS_GPG" \
+    | awk -v id="$VAULT_ID" '$1 == id { print $2; exit }'
+  )"
+
+  if [[ -n "$PASSWORD" ]]; then
+    printf '%s\n' "$PASSWORD"
+    exit 0
+  fi
+
+  echo "Error: Vault ID '$VAULT_ID' not found in vault-passwords.gpg" >&2
+  exit 1
+fi
+
+# 2. Fallback to secret-tool
+PASSWORD="$(secret-tool lookup ansible-vault-id "$VAULT_ID" || true)"
+
+if [[ -n "$PASSWORD" ]]; then
+  printf '%s\n' "$PASSWORD"
+  exit 0
+fi
+
+echo "Error: No password found for vault ID '$VAULT_ID'" >&2
+exit 1