From 8a1a56aaa8ac72c9554820fffd4544e397b7def8 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 30 Jan 2026 16:17:35 -0800
Subject: [PATCH] Add 1Password integration for Jellyfin API key

- Add pre_task to fetch API key from 1Password
- Update jellyfin_metrics role to write API key file
- Include fallback fetch for --tags jellyfin_metrics runs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/playbooks/indri.yml                   | 17 ++++++++++++++
 ansible/roles/jellyfin_metrics/tasks/main.yml | 23 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 442f9f8..fdbf082 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -78,6 +78,23 @@
       no_log: true
       tags: [caddy]
 
+    # Jellyfin API key for metrics collection
+    - name: Fetch Jellyfin API key
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal
+      delegate_to: localhost
+      register: _jellyfin_metrics_api_key
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [jellyfin_metrics]
+
+    - name: Set Jellyfin API key fact
+      ansible.builtin.set_fact:
+        jellyfin_metrics_api_key: "{{ _jellyfin_metrics_api_key.stdout }}"
+      no_log: true
+      tags: [jellyfin_metrics]
+
   roles:
     - role: alloy
       tags: alloy
diff --git a/ansible/roles/jellyfin_metrics/tasks/main.yml b/ansible/roles/jellyfin_metrics/tasks/main.yml
index 54db57a..8cbe412 100644
--- a/ansible/roles/jellyfin_metrics/tasks/main.yml
+++ b/ansible/roles/jellyfin_metrics/tasks/main.yml
@@ -1,4 +1,27 @@
 ---
+- name: Fetch Jellyfin API key (when running with --tags jellyfin_metrics)
+  ansible.builtin.command:
+    cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal
+  delegate_to: localhost
+  register: jellyfin_metrics_api_key_fallback
+  changed_when: false
+  no_log: true
+  check_mode: false
+  when: jellyfin_metrics_api_key is not defined
+
+- name: Set Jellyfin API key fact (fallback)
+  ansible.builtin.set_fact:
+    jellyfin_metrics_api_key: "{{ jellyfin_metrics_api_key_fallback.stdout }}"
+  no_log: true
+  when: jellyfin_metrics_api_key is not defined
+
+- name: Write Jellyfin API key file
+  ansible.builtin.copy:
+    content: "{{ jellyfin_metrics_api_key }}"
+    dest: "{{ jellyfin_metrics_api_key_file }}"
+    mode: '0600'
+  no_log: true
+
 - name: Ensure bin directory exists
   ansible.builtin.file:
     path: "{{ jellyfin_metrics_script | dirname }}"