Migrate Ansible op calls to op read URI syntax (#125)

## Summary - Convert all 12 `op item get ... --fields ... --reveal` calls in Ansible to the newer `op read "op://vault/item/field"` syntax - Remove the `regex_replace` workaround on the Fly deploy token (no longer needed since `op read` returns clean unquoted values) - Covers `ansible/playbooks/indri.yml`, `ansible/roles/caddy/tasks/main.yml`, `ansible/roles/jellyfin_metrics/tasks/main.yml`, and `ansible/roles/alloy/tasks/main.yml` ## Test plan - [x] `mise run provision-indri -- --check --diff` dry run passes (ok=67, failed=0) - [x] No `op item get` calls remain in `ansible/` directory - [x] All pre-commit hooks pass (yaml, ansible-lint, TruffleHog, etc.) - [ ] Full provision run after merge to confirm secrets resolve correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/125
2026-02-08 10:52:43 -08:00 · 2026-02-08 10:52:43 -08:00 · 7f41621c7f
commit 7f41621c7f
parent 234c46c302
5 changed files with 14 additions and 15 deletions
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@ -8,7 +8,7 @@
  pre_tasks:
    - name: Fetch borgmatic database password
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mw2bv5we7woicjza7hc6s44yvy --fields db-password --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password"
      delegate_to: localhost
      register: _borgmatic_db_pw
      changed_when: false
@ -25,7 +25,7 @@
    # Forgejo secrets
    - name: Fetch forgejo LFS JWT secret
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields lfs-jwt-secret --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/lfs-jwt-secret"
      delegate_to: localhost
      register: _forgejo_lfs_jwt
      changed_when: false
@ -35,7 +35,7 @@
    - name: Fetch forgejo internal token
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields internal-token --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/internal-token"
      delegate_to: localhost
      register: _forgejo_internal_token
      changed_when: false
@ -45,7 +45,7 @@
    - name: Fetch forgejo OAuth2 JWT secret
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields oauth2-jwt-secret --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/oauth2-jwt-secret"
      delegate_to: localhost
      register: _forgejo_oauth2_jwt
      changed_when: false
@ -64,7 +64,7 @@
    # Forgejo Actions secrets (synced to Forgejo via API)
    - name: Fetch Forgejo API token
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields api-token --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token"
      delegate_to: localhost
      register: _forgejo_api_token
      changed_when: false
@ -74,7 +74,7 @@
    - name: Fetch ArgoCD auth token for Forgejo Actions
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields argocd_token --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/argocd_token"
      delegate_to: localhost
      register: _forgejo_argocd_token
      changed_when: false
@ -84,7 +84,7 @@
    - name: Fetch Fly.io deploy token for Forgejo Actions
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get on5slfaygtdjrxmdwezyhfmqsq --fields deploy-token --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/on5slfaygtdjrxmdwezyhfmqsq/deploy-token"
      delegate_to: localhost
      register: _fly_deploy_token
      changed_when: false
@ -96,14 +96,14 @@
      ansible.builtin.set_fact:
        forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
        forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
-        forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout | regex_replace('^\"|\"$', '') }}"
+        forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}"
      no_log: true
      tags: [forgejo_actions_secrets]
    # Caddy Gandi token for ACME DNS-01 challenges
    - name: Fetch Gandi PAT for Caddy
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat"
      delegate_to: localhost
      register: _caddy_gandi_token
      changed_when: false
@ -120,7 +120,7 @@
    # Jellyfin API key for metrics collection
    - name: Fetch Jellyfin API key
      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential"
      delegate_to: localhost
      register: _jellyfin_metrics_api_key
      changed_when: false
--- a/ansible/roles/alloy/tasks/main.yml
+++ b/ansible/roles/alloy/tasks/main.yml
@ -38,9 +38,7 @@
 - name: Fetch PostgreSQL metrics password from 1Password
  ansible.builtin.command:
-    cmd: >-
+    cmd: op read "op://{{ alloy_op_vault }}/{{ alloy_op_postgres_item }}/{{ alloy_op_postgres_field }}"
      op --vault {{ alloy_op_vault }} item get {{ alloy_op_postgres_item }}
      --fields {{ alloy_op_postgres_field }} --reveal
  delegate_to: localhost
  register: alloy_postgres_password_result
  changed_when: false
--- a/ansible/roles/caddy/tasks/main.yml
+++ b/ansible/roles/caddy/tasks/main.yml
@ -23,7 +23,7 @@
 - name: Fetch Gandi PAT (when running with --tags caddy)
  ansible.builtin.command:
-    cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal
+    cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat"
  delegate_to: localhost
  register: _caddy_gandi_token_fallback
  changed_when: false
--- a/ansible/roles/jellyfin_metrics/tasks/main.yml
+++ b/ansible/roles/jellyfin_metrics/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Fetch Jellyfin API key (when running with --tags jellyfin_metrics)
  ansible.builtin.command:
-    cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal
+    cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential"
  delegate_to: localhost
  register: jellyfin_metrics_api_key_fallback
  changed_when: false
--- a/docs/changelog.d/op-read-migration.infra.md
+++ b/docs/changelog.d/op-read-migration.infra.md
@ -0,0 +1 @@
 Migrate all Ansible `op item get` calls to `op read` URI syntax for cleaner output and remove the `regex_replace` workaround on the Fly deploy token.
		`@ -0,0 +1 @@`
							Migrate all Ansible `op item get` calls to `op read` URI syntax for cleaner output and remove the `regex_replace` workaround on the Fly deploy token.