2019-03-13 16:09:06 +01:00
|
|
|
# Ansible KeePass Lookup Plugin
|
|
|
|
|
|
|
|
Perhaps, from a security view point, this solution is the same as `ansible-vault`.
|
|
|
|
Just if you are storing secrets data in KeePass, then why not use it,
|
|
|
|
instead of duplicating to `ansible-vault`.
|
|
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
2020-03-06 13:02:54 +01:00
|
|
|
Dependency: `pykeepass`
|
|
|
|
|
2019-03-13 16:09:06 +01:00
|
|
|
pip install pykeepass --user
|
|
|
|
mkdir -p ~/.ansible/plugins/lookup && cd "$_"
|
|
|
|
curl https://raw.githubusercontent.com/viczem/ansible-keepass/master/keepass.py -o ./keepass.py
|
|
|
|
|
|
|
|
[More about ansible plugins installation](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html)
|
|
|
|
|
|
|
|
|
|
|
|
## Variables
|
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
- `keepass_dbx` - path to KeePass file
|
2019-03-21 11:49:33 +01:00
|
|
|
- `keepass_psw` - password. [*optional*] if the socket is used
|
|
|
|
- `keepass_key` - [*optional*] path to keyfile
|
2019-03-13 16:09:06 +01:00
|
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
For global variables define them once in `group_vars/all`.
|
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
For security reasons, do not store KeePass password in plain text.
|
2019-03-13 16:09:06 +01:00
|
|
|
Use `ansible-vault encrypt_string` to encrypt the password.
|
|
|
|
I'm not sure, but I think that for simplicity,
|
2019-05-05 00:48:52 +02:00
|
|
|
it is safe to use the same `ansible-vault` password as KeePass password.
|
2019-03-13 16:09:06 +01:00
|
|
|
To decrypt the passwod use `--ask-vault-pass`
|
|
|
|
e.g. `ansible all -m ping --ask-vault-pass`.
|
|
|
|
|
|
|
|
|
|
|
|
# file: group_vars/all
|
|
|
|
|
|
|
|
keepass_dbx: "~/.keepass/database.kdbx"
|
|
|
|
keepass_psw: !vault |
|
|
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
|
|
...
|
|
|
|
|
2019-03-21 11:49:33 +01:00
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
### Alternative usage with UNIX socket
|
|
|
|
|
|
|
|
> _This usage is more preferred for performance reason,
|
|
|
|
because of KeePass file stay decrypted and not need to reopen after done each playbook task
|
|
|
|
[(see the issue for more info)](https://github.com/viczem/ansible-keepass/issues/1)_
|
2019-03-21 11:49:33 +01:00
|
|
|
|
|
|
|
In this case, there is no need to enter a password for KeePass each time Ansible is called.
|
2019-05-05 00:48:52 +02:00
|
|
|
Run socket by the command and after that enter a password to make to open KeePass file.
|
2019-03-21 11:49:33 +01:00
|
|
|
|
|
|
|
python kpsock.py ~/.keepass/database.kdbx
|
|
|
|
|
|
|
|
|
2020-03-06 13:02:54 +01:00
|
|
|
The command will creates UNIX socket in a system temp directory. Only one socket
|
2019-05-05 00:48:52 +02:00
|
|
|
> **WARNING**: The KeePass file and password are stay decrypted in memory while the socket is open.
|
2019-03-21 11:49:33 +01:00
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
The socket timeout is 1 minute since past access (will be closed automatically when not used).
|
2020-03-06 13:02:54 +01:00
|
|
|
To change timeout use `--ttl` argument.
|
|
|
|
For logging requests in a file use `--log` (default `--log-level` is `INFO`).
|
|
|
|
|
|
|
|
For help `python kpsock.py --help`
|
2019-03-21 11:49:33 +01:00
|
|
|
|
|
|
|
To send the running command in background press <kbd>CTRL</kbd>+<kbd>Z</kbd> and execute `bg`
|
2019-05-05 00:48:52 +02:00
|
|
|
(`fg` to get the job into the foreground again).
|
2019-03-21 11:49:33 +01:00
|
|
|
|
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
## Example
|
2019-03-21 11:49:33 +01:00
|
|
|
|
2019-05-05 00:48:52 +02:00
|
|
|
Define variables you need e.g. in any file in group_vars
|
2019-03-13 16:09:06 +01:00
|
|
|
|
|
|
|
|
|
|
|
ansible_user : "{{ lookup('keepass', 'path/to/entry', 'username') }}"
|
|
|
|
ansible_become_pass: "{{ lookup('keepass', 'path/to/entry', 'password') }}"
|
|
|
|
|
|
|
|
|
|
|
|
You can get another [properties of an KeePass entry](https://github.com/pschmitt/pykeepass/blob/master/pykeepass/entry.py)
|
|
|
|
(not only `username` or `password`)
|
|
|
|
|
|
|
|
|
|
|
|
`ansible-doc -t lookup keepass` - to get description of the plugin
|