boma/scripts/vault-pass-client.sh

#!/usr/bin/env bash
#
# ansible-vault password client.
#
# Prints the boma master vault password to stdout by fetching it from Vaultwarden
# via the `rbw` agent. Wired in as `vault_password_file` (ansible.cfg) and used by
# the Makefile vault targets, so every ansible-vault / ansible-playbook / lint run
# obtains the password the same way.
#
# The password lives only in Vaultwarden (encrypted at rest) and in the rbw agent's
# memory while unlocked — never in a plaintext file on disk.
#
# Unlock once per terminal session before running any vault operation:
#     rbw unlock
#
# Override the Vaultwarden item name via BOMA_VAULT_ITEM if it ever changes.
#
set -euo pipefail

item="${BOMA_VAULT_ITEM:-boma-ansible-vault}"

if ! command -v rbw >/dev/null 2>&1; then
  echo "vault-pass-client: 'rbw' is not installed — see docs/runbooks/rotate-secrets.md." >&2
  exit 1
fi

# Only the password reaches stdout; all diagnostics go to stderr so they can never
# be mistaken for the password by ansible-vault.
if ! pw="$(rbw get "$item" 2>/dev/null)"; then
  echo "vault-pass-client: could not read '$item' from Vaultwarden via rbw." >&2
  echo "  The agent is probably locked. Run:  rbw unlock" >&2
  exit 1
fi

printf '%s\n' "$pw"
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			`#!/usr/bin/env bash`
			`#`
			`# ansible-vault password client.`
			`#`
			`# Prints the boma master vault password to stdout by fetching it from Vaultwarden`
			# via the `rbw` agent. Wired in as `vault_password_file` (ansible.cfg) and used by
			`# the Makefile vault targets, so every ansible-vault / ansible-playbook / lint run`
			`# obtains the password the same way.`
			`#`
			`# The password lives only in Vaultwarden (encrypted at rest) and in the rbw agent's`
			`# memory while unlocked — never in a plaintext file on disk.`
			`#`
			`# Unlock once per terminal session before running any vault operation:`
			`# rbw unlock`
			`#`
			`# Override the Vaultwarden item name via BOMA_VAULT_ITEM if it ever changes.`
			`#`
			`set -euo pipefail`

			`item="${BOMA_VAULT_ITEM:-boma-ansible-vault}"`

			`if ! command -v rbw >/dev/null 2>&1; then`
			`echo "vault-pass-client: 'rbw' is not installed — see docs/runbooks/rotate-secrets.md." >&2`
			`exit 1`
			`fi`

			`# Only the password reaches stdout; all diagnostics go to stderr so they can never`
			`# be mistaken for the password by ansible-vault.`
			`if ! pw="$(rbw get "$item" 2>/dev/null)"; then`
			`echo "vault-pass-client: could not read '$item' from Vaultwarden via rbw." >&2`
			`echo " The agent is probably locked. Run: rbw unlock" >&2`
			`exit 1`
			`fi`

			`printf '%s\n' "$pw"`