ansible: use admin as default remote user

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-03 10:53:58 +00:00 · 2025-01-21 22:22:59 +01:00 · 2025-01-21 22:22:59 +01:00 · df5073454b
commit df5073454b
parent 7d204f4c33
3 changed files with 37 additions and 14 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,6 +1,7 @@
 [defaults]
 forks = 30
 timeout = 30
+remote_user = admin
 inventory = ./ansible/terraform.py
 callback_plugins = ./ansible/callback_plugins
 lookup_plugins = ./ansible/lookup_plugins
--- a/ansible/filter_plugins/get_user_passwords.py
+++ b/ansible/filter_plugins/get_user_passwords.py
@ -0,0 +1,19 @@
+#!/usr/bin/env python
+from ansible.errors import AnsibleError
+from ansible.plugins.loader import lookup_loader
+
+class FilterModule(object):
+    def filters(self):
+        return { 'get_user_passwords': self.get_user_passwords }
+
+    def get_user_passwords(self, users):
+        vault = lookup_loader.get('vault')
+        variables = { 'env': 'all', 'stage': 'all' }
+        get_pass = lambda name: vault.run(terms=["users"], field=name, variables=variables)
+        rval = {}
+        for user in users:
+            try:
+                rval[user['name']] = get_pass(user['name'])[0]
+            except AnsibleError as err:
+                continue # Allow for users without passwords
+        return rval
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1,16 +1,24 @@
 ---
-# Root password
-bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
+# Passwords
+ansible_become_password:            '{{lookup("passwordstore", "hosts/admin-pass")}}'
+bootstrap__active_users_passwords:  '{{ bootstrap__active_users | get_user_passwords }}'
+bootstrap__admin_pass:              '{{lookup("vault", "users",             field="admin",              env="all", stage="all")}}'
+bootstrap__root_pass:               '{{lookup("vault", "users",             field="root",               env="all", stage="all")}}'
 # Consul
-bootstrap__consul_encryption_key:   '{{lookup("bitwarden", "consul/cluster", field="encryption-key")}}'
-bootstarp__consul_agent_acl_token:  '{{lookup("bitwarden", "consul/acl-tokens", field="agent-default")}}'
-bootstrap__consul_certs_ca_crt:     '{{lookup("bitwarden", "consul/certs",      file="ca.pem")}}'
-bootstrap__consul_certs_client_crt: '{{lookup("bitwarden", "consul/certs",      file="client.pem")}}'
-bootstrap__consul_certs_client_key: '{{lookup("bitwarden", "consul/certs",      file="client-key.pem")}}'
+bootstrap__consul_encryption_key:   '{{lookup("vault", "consul/config",     field="encryption-key",     env="all", stage="all")}}'
+bootstarp__consul_agent_acl_token:  '{{lookup("vault", "consul/acl-tokens", field="agent-default",      env="all", stage="all")}}'
+bootstrap__consul_certs_ca_crt:     '{{lookup("vault", "consul/certs",      field="ca.pem",             env="all", stage="all")}}'
+bootstrap__consul_certs_client_crt: '{{lookup("vault", "consul/certs",      field="client.pem",         env="all", stage="all")}}'
+bootstrap__consul_certs_client_key: '{{lookup("vault", "consul/certs",      field="client-key.pem",     env="all", stage="all")}}'
+# Vault certificate
+bootstrap__vault_ca_cert:           '{{ lookup("passwordstore", "services/vault/certs/root-ca/cert returnall=true")}}'
+bootstrap__vault_client_cert:       '{{ lookup("passwordstore", "services/vault/certs/client-host/cert returnall=true")}}'
+bootstrap__vault_client_key:        '{{ lookup("passwordstore", "services/vault/certs/client-host/privkey returnall=true")}}'
 # SSHGuard
-bootstrap__sshguard_whitelist_extra: ['{{lookup("bitwarden", "sshguard/whitelist", field="jakubgs-home")}}']
+bootstrap__sshguard_whitelist_extra: ['{{lookup("vault", "sshguard/whitelist",    field="jakubgs-home", env="all", stage="all")}}']
+
 # Wireguard
-wireguard_consul_acl_token: '{{lookup("bitwarden", "consul/acl-tokens", field="wireguard")}}'
+wireguard_consul_acl_token:         '{{lookup("vault", "consul/acl-tokens", field="wireguard",          env="all", stage="all")}}'

 # Volume of Trace level logs is too high and fills up ES cluster.
 bootstrap__rsyslog_filter_rules: ['TRC']
@ -20,8 +28,3 @@ bootstrap__docker_registries:
  - url:      'https://harbor.status.im'
    username: 'robot$wakuorg+infra-status'
    password: '{{ lookup("bitwarden", "harbor-robot", field="robot$wakuorg+infra-status") }}'
-
-# Vault certificate
-bootstrap__vault_ca_cert:           '{{ lookup("passwordstore", "services/vault/certs/root-ca/cert returnall=true")}}'
-bootstrap__vault_client_cert:       '{{ lookup("passwordstore", "services/vault/certs/client-host/cert returnall=true")}}'
-bootstrap__vault_client_key:        '{{ lookup("passwordstore", "services/vault/certs/client-host/privkey returnall=true")}}'