June
4574dbf4ba
Allows storage of secrets to then be referenced in other places. The motivation was storing WireGuard secrets for systemd-networkd.
53 lines
1.3 KiB
YAML
53 lines
1.3 KiB
YAML
- name: validate secret configs
|
|
ansible.builtin.validate_argument_spec:
|
|
argument_spec: "{{ required_data }}"
|
|
provided_arguments:
|
|
config: "{{ item }}"
|
|
loop: "{{ secrets__secrets }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
vars:
|
|
required_data:
|
|
config:
|
|
type: dict
|
|
required: true
|
|
options:
|
|
name:
|
|
type: str
|
|
required: true
|
|
content:
|
|
type: str
|
|
required: true
|
|
owner:
|
|
type: str
|
|
required: false
|
|
default: root
|
|
group:
|
|
type: str
|
|
required: false
|
|
default: root
|
|
mode:
|
|
type: str
|
|
required: false
|
|
default: "0640"
|
|
|
|
- name: ensure secrets directory exists
|
|
ansible.builtin.file:
|
|
path: "/etc/ansible_secrets"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0750"
|
|
become: true
|
|
|
|
- name: ensure secrets are present
|
|
ansible.builtin.copy:
|
|
content: "{{ item.content }}"
|
|
dest: "/etc/ansible_secrets/{{ item.name }}"
|
|
mode: "{{ item.mode | default('0640') }}"
|
|
owner: "{{ item.owner | default('root') }}"
|
|
group: "{{ item.group | default('root') }}"
|
|
become: true
|
|
loop: "{{ secrets__secrets }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|