68 lines
1.3 KiB
Bash
Executable File
68 lines
1.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: $0 --vault-id VAULT_ID
|
|
|
|
Options:
|
|
--vault-id VALUE (required) Vault ID to use
|
|
EOF
|
|
exit 2
|
|
}
|
|
|
|
VAULT_ID=""
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--vault-id)
|
|
shift
|
|
[[ $# -gt 0 ]] || usage
|
|
VAULT_ID="$1"
|
|
shift
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1" >&2
|
|
usage
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ -z "$VAULT_ID" ]]; then
|
|
echo "Error: --vault-id is required" >&2
|
|
usage
|
|
fi
|
|
|
|
# Resolve repo root (script location)
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
REPO_ROOT="$(cd "$SCRIPT_DIR" && pwd)"
|
|
|
|
VAULT_PASSWORDS_GPG="$REPO_ROOT/vault-passwords.gpg"
|
|
|
|
# 1. Prefer GPG-encrypted vault-passwords file if present
|
|
if [[ -f "$VAULT_PASSWORDS_GPG" ]]; then
|
|
PASSWORD="$(
|
|
gpg --quiet --decrypt "$VAULT_PASSWORDS_GPG" \
|
|
| awk -v id="$VAULT_ID" '$1 == id { print $2; exit }'
|
|
)"
|
|
|
|
if [[ -n "$PASSWORD" ]]; then
|
|
printf '%s\n' "$PASSWORD"
|
|
exit 0
|
|
fi
|
|
|
|
echo "Error: Vault ID '$VAULT_ID' not found in vault-passwords.gpg" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# 2. Fallback to secret-tool
|
|
PASSWORD="$(secret-tool lookup ansible-vault-id "$VAULT_ID" || true)"
|
|
|
|
if [[ -n "$PASSWORD" ]]; then
|
|
printf '%s\n' "$PASSWORD"
|
|
exit 0
|
|
fi
|
|
|
|
echo "Error: No password found for vault ID '$VAULT_ID'" >&2
|
|
exit 1
|