bw

playbook.yml

@@ -3,6 +3,7 @@
   become: yes
   roles:
     - common
+    - vaultwarden
     - kubernetes
     - kube-master
     - stolon
@@ -12,5 +13,6 @@
   become: yes
   roles:
     - common
+    - vaultwarden
     - kubernetes
     - kube-node

roles/stolon/tasks/main.yml

@@ -21,52 +21,17 @@
   shell: ls -l /tmp/stolon/kubernetes-files/files
   register: resultado_ls
 
+- name: Obter várias notas do Bitwarden
+  shell: |
+    export BW_SESSION={{ lookup('env', 'BW_SESSION') }}
+    bw get item "{{ item.id }}" --session $BW_SESSION | jq -r '.notes' > {{ item.dest }}
+  loop:
+    - { id: "iac.ansible.dockersecrets", dest: "/tmp/stolon/kubernetes-files/files/docker-secrets.yaml" }
+    - { id: "iac.ansible.stolon.repl.secret", dest: "/tmp/stolon/kubernetes-files/files/stolon-repl-secret.yaml" }
+    - { id: "iac.ansible.stolon.keeper.secret", dest: "/tmp/stolon/kubernetes-files/files/stolon-secret.yaml" }
+  args:
+    executable: /bin/bash
 
-- name: Buscar values.yaml do Bitwarden e aplicar remotamente
-  hosts: localhost
-  gather_facts: no
-  tasks:
-    - name: Criar diretório temporário no remoto
-      file:
-        path: /tmp/stolon/kubernetes-files
-        state: directory
-        mode: '0755'
-    - name: Buscar values.yaml do Bitwarden
-      shell: |
-        bw get item "iac.ansible.dockersecrets" --session $BW_SESSION | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/docker-secrets.yaml
-        bw get item "iac.ansible.stolon.repl.secret" --session $BW_SESSION | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/stolon-repl-secret.yaml    
-        bw get item "iac.ansible.stolon.keeper.secret" --session $BW_SESSION | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/stolon-secret.yaml    
-      args:
-        executable: /bin/bash
-      environment:
-        BW_SESSION: "{{ lookup('env', 'BW_SESSION') }}"
-
-- name: Copiar ficheiros para o nó remoto
-  hosts: localhost
-  gather_facts: no
-  vars:
-    remote_host: "k8s-node-01"
-    files_to_copy:
-      - { src: "/tmp/stolon/kubernetes-files/files/docker-secrets.yaml", dest: "/tmp/stolon/kubernetes-files/files/docker-secrets.yaml" }
-      - { src: "/tmp/stolon/kubernetes-files/files/stolon-repl-secret.yaml", dest: "/tmp/stolon/kubernetes-files/files/stolon-repl-secret.yaml" }
-      - { src: "/tmp/stolon/kubernetes-files/files/stolon-secret.yaml", dest: "/tmp/stolon/kubernetes-files/files/stolon-secret.yaml" }
-
-  tasks:
-    - name: Copiar ficheiros para o nó remoto
-      copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dest }}"
-        mode: '0600'
-      loop: "{{ files_to_copy }}"
-      delegate_to: "{{ groups['master'][0] }}"
-
-#- name: Buscar values.yaml do Bitwarden
-#  shell: |
-#    bw get item "iac.ansible.dockersecrets" --session {{ lookup('env', 'BW_SESSION') }} | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/docker-secrets.yaml
-#    bw get item "iac.ansible.stolon.repl.secret" --session {{ lookup('env', 'BW_SESSION') }} | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/stolon-repl-secret.yaml    
-#    bw get item "iac.ansible.stolon.keeper.secret" --session {{ lookup('env', 'BW_SESSION') }} | jq -r '.notes' > /tmp/stolon/kubernetes-files/files/stolon-secret.yaml    
-#  args:
-#    executable: /bin/bash
 
 - name: Mostrar resultado do ls
   debug:

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Instalar dependências (curl, unzip, jq)
+  become: true
+  apt:
+    name:
+      - curl
+      - unzip
+      - jq
+    state: present
+    update_cache: true
+
+- name: Instalar Bitwarden CLI
+  become: true
+  shell: |
+    curl -L https://github.com/bitwarden/cli/releases/latest/download/bw-linux.zip -o bw.zip
+    unzip bw.zip
+    chmod +x bw
+    mv bw /usr/local/bin/bw
+  args:
+    creates: /usr/local/bin/bw
+
+- name: Fazer login no Bitwarden
+  shell: bw login {{ bw_email }} --password {{ bw_password }}
+  register: bw_login
+  no_log: true
+
+- name: Desbloquear cofre e guardar sessão
+  shell: bw unlock --password {{ bw_password }} --raw
+  register: bw_session
+  no_log: true
+
+- name: Exportar sessão para ambiente local
+  shell: echo "export BW_SESSION={{ bw_session.stdout }}" >> /etc/profile.d/bw-session.sh
+  become: true

roles/vaultwarden/vars/main.yml

@@ -0,0 +1,2 @@
+bw_email: "{{ lookup('env', 'BW_EMAIL') }}"
+bw_password: "{{ lookup('env', 'BW_PASSWORD') }}"