Try Spottermanage passwords with passwordstore.org's pass utility
Authors: Patrick Deelman (!UNKNOWN) <patrick@patrickdeelman.nl>
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0Enables Ansible to retrieve, create or update passwords from the passwordstore.org pass utility. It also retrieves YAML style keys stored as multilines in the passwordfile.
To avoid problems when accessing multiple secrets at once, add C(auto-expand-secmem) to C(~/.gnupg/gpg-agent.conf). Where this is not possible, consider using O(lock=readwrite) instead.
lock:
choices:
- readwrite
- write
- none
default: write
description:
- How to synchronize operations.
- The default of V(write) only synchronizes write operations.
- V(readwrite) synchronizes all operations (including read). This makes sure that
gpg-agent is never called in parallel.
- V(none) does not do any synchronization.
ini:
- key: lock
section: passwordstore_lookup
type: str
version_added: 4.5.0
version_added_collection: community.general
umask:
description:
- Sets the umask for the created .gpg files. The first octed must be greater than
3 (user readable).
- Note pass' default value is V('077').
env:
- name: PASSWORD_STORE_UMASK
version_added: 1.3.0
version_added_collection: community.general
_terms:
description: query key.
required: true
backup:
default: false
description: Used with O(overwrite=true). Backup the previous password in a subkey.
type: bool
create:
default: false
description: Create the password if it does not already exist. Takes precedence over
O(missing).
type: bool
length:
default: 16
description: The length of the generated password.
type: integer
subkey:
default: password
description: Return a specific subkey of the password. When set to V(password), always
returns the first line.
type: str
backend:
choices:
- pass
- gopass
default: pass
description:
- Specify which backend to use.
- Defaults to V(pass), passwordstore.org's original pass utility.
- V(gopass) support is incomplete.
ini:
- key: backend
section: passwordstore_lookup
type: str
vars:
- name: passwordstore_backend
version_added: 5.2.0
version_added_collection: community.general
missing:
choices:
- error
- warn
- empty
- create
default: error
description:
- List of preference about what to do if the password file is missing.
- If O(create=true), the value for this option is ignored and assumed to be V(create).
- If set to V(error), the lookup will error out if the passname does not exist.
- If set to V(create), the passname will be created with the provided length O(length)
if it does not exist.
- If set to V(empty) or V(warn), will return a V(none) in case the passname does not
exist. When using C(lookup) and not C(query), this will be translated to an empty
string.
type: str
version_added: 3.1.0
version_added_collection: community.general
preserve:
default: true
description: Include the old (edited) password inside the pass file.
type: bool
version_added: 8.1.0
version_added_collection: community.general
userpass:
description: Specify a password to save, instead of a generated one.
type: str
directory:
description:
- The directory of the password store.
- If O(backend=pass), the default is V(~/.password-store) is used.
- If O(backend=gopass), then the default is the C(path) field in C(~/.config/gopass/config.yml),
falling back to V(~/.local/share/gopass/stores/root) if C(path) is not defined in
the gopass config.
env:
- name: PASSWORD_STORE_DIR
type: path
vars:
- name: passwordstore
nosymbols:
default: false
description: Use alphanumeric characters.
type: bool
overwrite:
default: false
description: Overwrite the password if it does already exist.
type: bool
returnall:
default: false
description: Return all the content of the password, not only the first line.
type: bool
timestamp:
default: true
description: Add the password generation information to the end of the file.
type: bool
version_added: 8.1.0
version_added_collection: community.general
locktimeout:
default: 15m
description:
- Lock timeout applied when O(lock) is not V(none).
- Time with a unit suffix, V(s), V(m), V(h) for seconds, minutes, and hours, respectively.
For example, V(900s) equals V(15m).
- Correlates with C(pinentry-timeout) in C(~/.gnupg/gpg-agent.conf), see C(man gpg-agent)
for details.
ini:
- key: locktimeout
section: passwordstore_lookup
type: str
version_added: 4.5.0
version_added_collection: community.general
_raw: description: - a password elements: str type: list