From 8b7b7b677dea302c761405eca4cec4d4219eeea6 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 9 Jan 2024 17:25:42 -0600 Subject: [PATCH] nut: Encrypt upsd user passwords with age Switching from Ansible Vault to age. I've changed the `upsd.users` template somewhat in order to handle the `password` property separately. Now, items in the `nut_users` list are objects with properties instead of lists of objects with properties. The latter was done to support repeating options (`actions` and `instcmds`), but that is more appropriately handled with lists of values. This value is encrypted with the following public key: age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz --- group_vars/nut/main.yml | 11 ++++++++++- group_vars/nut/secrets | 9 --------- roles/nut/templates/upsd.users.j2 | 13 ++++++++++--- 3 files changed, 20 insertions(+), 13 deletions(-) delete mode 100644 group_vars/nut/secrets diff --git a/group_vars/nut/main.yml b/group_vars/nut/main.yml index 1fb426d..93e52f2 100644 --- a/group_vars/nut/main.yml +++ b/group_vars/nut/main.yml @@ -1,6 +1,14 @@ nut_users: homeassistant: - - password: '{{ vault_nut_user_passwords.homeassistant }}' + password: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZUZleGt3emxXdDFtcEtN + Wll3K0hrS2c2M1oyMWh2VlBnMER0bkZOb1VVCnU3aTI2eVJoV1dKNWxEd0VnbVNa + NlMxVWRuZWpNbTJRVUhWR2w3bUlwaEUKLS0tIGZLcGNQRy9LNUF1Y0JzZEZGdXBn + bUJjYlBSSEYwRUpwemlMZ0xCZnpTS2cKUFke27YDeTME9OBgEcQdbJ3jsDZS43km + tK61kLMcexq3lXQb30gx4fzMuYa0MXFygawscTnxTrOrXUd36Iga4A== + -----END AGE ENCRYPTED FILE----- + nut_ups: apc1500: - driver: usbhid-ups @@ -18,6 +26,7 @@ nut_ups: - product: .*1300G.* - pollonly: enabled - pollinterval: 1 + collectd_nut_ups: >- {{ ["localhost"] diff --git a/group_vars/nut/secrets b/group_vars/nut/secrets deleted file mode 100644 index 360e0fa..0000000 --- a/group_vars/nut/secrets +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -66336466336337363633626434626631303037636164383464666630653831323638306234666139 -3766656566376662313363393665366436643533643337620a323964376430313764393935316131 -35613030623261353136376638396638383634346237333337303164383935303332366264376535 -6664366136366439300a303931396464353363333562623366663063303562303935323361346335 -65383263376637653539616430306334383637303963323831616632643736333266356661663337 -31383436393137333136323764366334643939643934383135343730316135313739373863643062 -38386136396638323465316161633239323033323336623039633765393865306462313464626563 -33616561666631386437 diff --git a/roles/nut/templates/upsd.users.j2 b/roles/nut/templates/upsd.users.j2 index ae3ebda..34d589a 100644 --- a/roles/nut/templates/upsd.users.j2 +++ b/roles/nut/templates/upsd.users.j2 @@ -1,8 +1,15 @@ {% for username, settings in nut_users.items() %} [{{ username }}] -{% for setting in settings %} -{% for key, value in setting|dictsort %} -{{ key }} = {{ value }} +{% if settings.password|d(none) is not none %} +password = {{ settings.password | decrypt }} +{% endif %} +{% for action in settings.actions|d([]) %} +actions = {{ action }} {% endfor %} +{% for instcmds in settings.instcmds|d([]) %} +instcmds = {{ instcmds }} {% endfor %} +{% if not loop.last %} + +{% endif %} {% endfor %}