pass is an encrypted on-disk password store.
New in version 2017.7.0.
<user> needs to be replaced with the user salt-master will be
Have private gpg loaded into
user's gpg keyring
load_private_gpg_key: cmd.run: - name: gpg --import <location_of_private_gpg_key> - unless: gpg --list-keys '<gpg_name>'
Said private key's public key should have been used when encrypting pass entries that are of interest for pillar data.
Fetch and keep local pass git repo up-to-date
update_pass: git.latest: - force_reset: True - name: <git_repo> - target: /<user>/.password-store - identity: <location_of_ssh_private_key> - require: - cmd: load_private_gpg_key
Install pass binary
Salt master configuration options
# If the prefix is *not* set (default behavior), all template variables are # considered for fetching secrets from Pass. Those that cannot be resolved # to a secret are passed through. # # If the prefix is set, only the template variables with matching prefix are # considered for fetching the secrets, other variables are passed through. # # For ease of use it is recommended to set the following options as well: # renderer: 'jinja|yaml|pass' # pass_strict_fetch: true # pass_variable_prefix: 'pass:' # If set to 'true', error out when unable to fetch a secret for a template variable. pass_strict_fetch: true # Set GNUPGHOME env for Pass. # Defaults to: ~/.gnupg pass_gnupghome: <path> # Set PASSWORD_STORE_DIR env for Pass. # Defaults to: ~/.password-store pass_dir: <path>
Fetch secret from pass based on pass_path