diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml index 9a015b3..bde198e 100644 --- a/ansible/playbooks/indri.yml +++ b/ansible/playbooks/indri.yml @@ -8,7 +8,7 @@ pre_tasks: - name: Fetch borgmatic database password ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mw2bv5we7woicjza7hc6s44yvy --fields db-password --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password" delegate_to: localhost register: _borgmatic_db_pw changed_when: false @@ -25,7 +25,7 @@ # Forgejo secrets - name: Fetch forgejo LFS JWT secret ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields lfs-jwt-secret --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/lfs-jwt-secret" delegate_to: localhost register: _forgejo_lfs_jwt changed_when: false @@ -35,7 +35,7 @@ - name: Fetch forgejo internal token ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields internal-token --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/internal-token" delegate_to: localhost register: _forgejo_internal_token changed_when: false @@ -45,7 +45,7 @@ - name: Fetch forgejo OAuth2 JWT secret ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields oauth2-jwt-secret --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/oauth2-jwt-secret" delegate_to: localhost register: _forgejo_oauth2_jwt changed_when: false @@ -64,7 +64,7 @@ # Forgejo Actions secrets (synced to Forgejo via API) - name: Fetch Forgejo API token ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields api-token --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token" delegate_to: localhost register: _forgejo_api_token changed_when: false @@ -74,7 +74,7 @@ - name: Fetch ArgoCD auth token for Forgejo Actions ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields argocd_token --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/argocd_token" delegate_to: localhost register: _forgejo_argocd_token changed_when: false @@ -84,7 +84,7 @@ - name: Fetch Fly.io deploy token for Forgejo Actions ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get on5slfaygtdjrxmdwezyhfmqsq --fields deploy-token --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/on5slfaygtdjrxmdwezyhfmqsq/deploy-token" delegate_to: localhost register: _fly_deploy_token changed_when: false @@ -96,14 +96,14 @@ ansible.builtin.set_fact: forgejo_api_token: "{{ _forgejo_api_token.stdout }}" forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}" - forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout | regex_replace('^\"|\"$', '') }}" + forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}" no_log: true tags: [forgejo_actions_secrets] # Caddy Gandi token for ACME DNS-01 challenges - name: Fetch Gandi PAT for Caddy ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat" delegate_to: localhost register: _caddy_gandi_token changed_when: false @@ -120,7 +120,7 @@ # Jellyfin API key for metrics collection - name: Fetch Jellyfin API key ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential" delegate_to: localhost register: _jellyfin_metrics_api_key changed_when: false diff --git a/ansible/roles/alloy/tasks/main.yml b/ansible/roles/alloy/tasks/main.yml index 1af95f5..90fbf1b 100644 --- a/ansible/roles/alloy/tasks/main.yml +++ b/ansible/roles/alloy/tasks/main.yml @@ -38,9 +38,7 @@ - name: Fetch PostgreSQL metrics password from 1Password ansible.builtin.command: - cmd: >- - op --vault {{ alloy_op_vault }} item get {{ alloy_op_postgres_item }} - --fields {{ alloy_op_postgres_field }} --reveal + cmd: op read "op://{{ alloy_op_vault }}/{{ alloy_op_postgres_item }}/{{ alloy_op_postgres_field }}" delegate_to: localhost register: alloy_postgres_password_result changed_when: false diff --git a/ansible/roles/caddy/tasks/main.yml b/ansible/roles/caddy/tasks/main.yml index 456474c..ca7067d 100644 --- a/ansible/roles/caddy/tasks/main.yml +++ b/ansible/roles/caddy/tasks/main.yml @@ -23,7 +23,7 @@ - name: Fetch Gandi PAT (when running with --tags caddy) ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat" delegate_to: localhost register: _caddy_gandi_token_fallback changed_when: false diff --git a/ansible/roles/jellyfin_metrics/tasks/main.yml b/ansible/roles/jellyfin_metrics/tasks/main.yml index 8cbe412..f7ecb31 100644 --- a/ansible/roles/jellyfin_metrics/tasks/main.yml +++ b/ansible/roles/jellyfin_metrics/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Fetch Jellyfin API key (when running with --tags jellyfin_metrics) ansible.builtin.command: - cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal + cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential" delegate_to: localhost register: jellyfin_metrics_api_key_fallback changed_when: false diff --git a/docs/changelog.d/op-read-migration.infra.md b/docs/changelog.d/op-read-migration.infra.md new file mode 100644 index 0000000..ef52282 --- /dev/null +++ b/docs/changelog.d/op-read-migration.infra.md @@ -0,0 +1 @@ +Migrate all Ansible `op item get` calls to `op read` URI syntax for cleaner output and remove the `regex_replace` workaround on the Fly deploy token.