store secrets with Ansibie Vault

* encrypt secrets.yml as an Ansible Vault
* fetch vault password from Bitwarden cli

Author: chrisx8

Makefile

@@ -1,5 +1,8 @@
+ANSIBLE_VAULT_FLAGS = --vault-password-file files/bw_vault_password.sh
 CERTBOT_SCRIPT = files/certbot.sh
 CERTBOT_WORKDIR = files/certbot.d
+EDITOR = code --wait
+
 # Run pre-commit checks on all files
 check:
 	pre-commit run --all-files
@@ -10,6 +13,10 @@ envsetup:
 	ansible-galaxy collection install -U -r requirements.yml
 	pre-commit install
 
+# Edit Ansible Vault
+vaultedit:
+	env EDITOR="$(EDITOR)" ansible-vault edit $(ANSIBLE_VAULT_FLAGS) vars/secrets.yml
+
 ## The following tasks run the certbot helper script
 ## Naming: certbot-(issue|renew)
 
@@ -24,43 +31,43 @@ certbot-renew:
 ## Order in Makefile: all, groups, nodes
 
 setup-all:
-	ansible-playbook setup.yml
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS)
 
 setup-guests:
-	ansible-playbook setup.yml --limit guests
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit guests
 
 setup-proxmox:
-	ansible-playbook setup.yml --limit proxmox
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit proxmox
 
 setup-containers:
-	ansible-playbook setup.yml --limit v-containers
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit v-containers
 
 setup-postgres:
-	ansible-playbook setup.yml --limit postgres
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit postgres
 
 setup-pihole:
-	ansible-playbook setup.yml --limit pihole
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit pihole
 
 setup-storage:
-	ansible-playbook setup.yml --limit storage
+	ansible-playbook setup.yml $(ANSIBLE_VAULT_FLAGS) --limit storage
 
 upgrade-all:
-	ansible-playbook upgrade.yml
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS)
 
 upgrade-guests:
-	ansible-playbook upgrade.yml --limit guests
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit guests
 
 upgrade-proxmox:
-	ansible-playbook upgrade.yml --limit proxmox
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit proxmox
 
 upgrade-containers:
-	ansible-playbook upgrade.yml --limit v-containers
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit v-containers
 
 upgrade-postgres:
-	ansible-playbook upgrade.yml --limit postgres
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit postgres
 
 upgrade-pihole:
-	ansible-playbook upgrade.yml --limit pihole
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit pihole
 
 upgrade-storage:
-	ansible-playbook upgrade.yml --limit storage
+	ansible-playbook upgrade.yml $(ANSIBLE_VAULT_FLAGS) --limit storage

files/bw_vault_password.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+
+echo "Please enter your Bitwarden credentials when prompted." 1>&2
+bw get password "Infra Ansible Vault"