ansible-keepass/README.md

# Ansible KeePass Lookup Plugin

This collection provides plugins that allows to read data from KeePass file (modifying is not supported)

## How it works

The lookup plugin opens a UNIX socket with decrypted KeePass file.
For performance reasons, decryption occurs only once at socket startup,
and the KeePass file remains decrypted as long as the socket is open.
The UNIX socket file is stored in a temporary folder according to OS.

## Installation

Requirements: `python 3`, `pykeepass==4.0.3`

    pip install 'pykeepass==4.0.3' --user
    ansible-galaxy collection install viczem.keepass


## Variables

- `keepass_dbx` - path to KeePass file
- `keepass_psw` - *Optional*. Password (required if `keepass_key` is not set)
- `keepass_key` - *Optional*. Path to keyfile (required if `keepass_psw` is not set)
- `keepass_ttl` - *Optional*. Socket TTL (will be closed automatically when not used).
Default 60 seconds.

## Environment Variables

If you want to use ansible-keepass with continuous integration, it could be helpful not to use ansible variables but Shell environment variables.

- `ANSIBLE_KEEPASS_PSW` Password
- `ANSIBLE_KEEPASS_KEY` Path to keyfile
- `ANSIBLE_KEEPASS_TTL` Socket TTL
- `ANSIBLE_KEEPASS_SOCKET` Path to Keepass Socket

The environment variables will only be used, if no ansible variable is set.

You can than start the socket in another background process like this
```sh
export ANSIBLE_KEEPASS_PSW=mySecret
export ANSIBLE_KEEPASS_SOCKET=/home/build/.my-ansible-sock.${CI_JOB_ID}
export ANSIBLE_TTL=600 # 10 Minutes
/home/build/ansible-pyenv/bin/python3 /home/build/.ansible/roles/ansible_collections/viczem/keepass/plugins/lookup/keepass.py /path-to/my-keepass.kdbx &
ansible-playbook -v playbook1.yml
ansible-playbook -v playbook2.yml

```

## Usage

`ansible-doc -t lookup keepass` to get description of the plugin

> **WARNING**: For security reasons, do not store KeePass passwords in plain text.
Use `ansible-vault encrypt_string` to encrypt it and use it like below

    # file: group_vars/all

    keepass_dbx: "~/.keepass/database.kdbx"
    keepass_psw: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          ...encrypted password...

### Examples

More examples see in [/docs/examples](/docs/examples).

#### Lookup

    ansible_user             : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'username') }}"
    ansible_become_pass      : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'password') }}"
    custom_field             : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'custom_properties', 'a_custom_property_name') }}"
    attachment               : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'attachments', 'a_file_name') }}"

#### Module
    - name: "Export file: attachment.txt"
        viczem.keepass.attachment:
          database: "{{ keepass_dbx }}"
          password: "{{ keepass_psw }}"
          entrypath: example/attachments
          attachment: "attachment.txt"
          dest: "{{ keepass_attachment_1_name }}"

## Contributing

See [/docs/contributing](docs/contributing).
Initial commit 2019-03-13 16:09:06 +01:00			`# Ansible KeePass Lookup Plugin`

docs: Update docs and refactor doc to docs 2022-08-15 00:57:21 +02:00			`This collection provides plugins that allows to read data from KeePass file (modifying is not supported)`
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00
			`## How it works`

Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00			`The lookup plugin opens a UNIX socket with decrypted KeePass file.`
			`For performance reasons, decryption occurs only once at socket startup,`
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`and the KeePass file remains decrypted as long as the socket is open.`
			`The UNIX socket file is stored in a temporary folder according to OS.`
Initial commit 2019-03-13 16:09:06 +01:00
			`## Installation`

Fix versions 2022-08-09 00:50:25 +02:00			Requirements: `python 3`, `pykeepass==4.0.3`
Fix kpsock and add logging kpsock.py: - Add logging - Fix AF_UNIX path too long - Prevent to open socket > 1 - Some code improvements 2020-03-06 13:02:54 +01:00
Fix versions 2022-08-09 00:50:25 +02:00			`pip install 'pykeepass==4.0.3' --user`
Fix linting. Fix collection structure 2022-08-09 13:39:08 +02:00			`ansible-galaxy collection install viczem.keepass`
Initial commit 2019-03-13 16:09:06 +01:00

			`## Variables`

Multiple entries with one file open 2019-05-05 00:48:52 +02:00			- `keepass_dbx` - path to KeePass file
Fix #33 Password shall not be mandatory for opening the db 2022-10-22 12:43:48 +02:00			- `keepass_psw` - Optional. Password (required if `keepass_key` is not set)
			- `keepass_key` - Optional. Path to keyfile (required if `keepass_psw` is not set)
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00			- `keepass_ttl` - Optional. Socket TTL (will be closed automatically when not used).
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`Default 60 seconds.`
Add alternative usage with UNIX socket 2019-03-21 11:49:33 +01:00
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00			`## Environment Variables`

Fix typo 2023-01-10 06:38:08 +01:00			`If you want to use ansible-keepass with continuous integration, it could be helpful not to use ansible variables but Shell environment variables.`
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00
			- `ANSIBLE_KEEPASS_PSW` Password
			- `ANSIBLE_KEEPASS_KEY` Path to keyfile
			- `ANSIBLE_KEEPASS_TTL` Socket TTL
			- `ANSIBLE_KEEPASS_SOCKET` Path to Keepass Socket

Fix typo 2023-01-10 06:38:08 +01:00			`The environment variables will only be used, if no ansible variable is set.`
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00
Fix typo 2023-01-10 06:38:08 +01:00			`You can than start the socket in another background process like this`
			```sh
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00			`export ANSIBLE_KEEPASS_PSW=mySecret`
			`export ANSIBLE_KEEPASS_SOCKET=/home/build/.my-ansible-sock.${CI_JOB_ID}`
			`export ANSIBLE_TTL=600 # 10 Minutes`
			`/home/build/ansible-pyenv/bin/python3 /home/build/.ansible/roles/ansible_collections/viczem/keepass/plugins/lookup/keepass.py /path-to/my-keepass.kdbx &`
			`ansible-playbook -v playbook1.yml`
			`ansible-playbook -v playbook2.yml`

			```
Fix Readme 2020-05-05 12:46:37 +02:00
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`## Usage`
Add alternative usage with UNIX socket 2019-03-21 11:49:33 +01:00
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`ansible-doc -t lookup keepass` to get description of the plugin
Add alternative usage with UNIX socket 2019-03-21 11:49:33 +01:00
Add Bash/Shell environment variables for better ci integration 2023-01-06 15:57:09 +01:00			`> WARNING: For security reasons, do not store KeePass passwords in plain text.`
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			Use `ansible-vault encrypt_string` to encrypt it and use it like below
Add alternative usage with UNIX socket 2019-03-21 11:49:33 +01:00
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`# file: group_vars/all`
Fix kpsock and add logging kpsock.py: - Add logging - Fix AF_UNIX path too long - Prevent to open socket > 1 - Some code improvements 2020-03-06 13:02:54 +01:00
Add pykeepass==4.0.1 - Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin) 2022-05-26 08:03:17 +02:00			`keepass_dbx: "~/.keepass/database.kdbx"`
			`keepass_psw: !vault \|`
			`$ANSIBLE_VAULT;1.1;AES256`
			`...encrypted password...`
Initial commit 2019-03-13 16:09:06 +01:00
Fix README 2022-08-20 13:47:07 +02:00			`### Examples`

			`More examples see in [/docs/examples](/docs/examples).`

			`#### Lookup`
Initial commit 2019-03-13 16:09:06 +01:00
Update documentation according to the collection previously created. 2022-07-09 18:20:50 +02:00			`ansible_user : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'username') }}"`
			`ansible_become_pass : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'password') }}"`
Add example 2022-08-13 15:04:52 +02:00			`custom_field : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'custom_properties', 'a_custom_property_name') }}"`
			`attachment : "{{ lookup('viczem.keepass.keepass', 'path/to/entry', 'attachments', 'a_file_name') }}"`
Fix README 2022-08-20 13:47:07 +02:00
			`#### Module`
docs: Update docs and refactor doc to docs 2022-08-15 00:57:21 +02:00			`- name: "Export file: attachment.txt"`
			`viczem.keepass.attachment:`
			`database: "{{ keepass_dbx }}"`
			`password: "{{ keepass_psw }}"`
			`entrypath: example/attachments`
			`attachment: "attachment.txt"`
			`dest: "{{ keepass_attachment_1_name }}"`

			`## Contributing`
Initial commit 2019-03-13 16:09:06 +01:00
Fix README 2022-08-20 13:47:07 +02:00			`See [/docs/contributing](docs/contributing).`