ansible/scripts/load-mailcow-vault-env.sh

#!/usr/bin/env bash
# Export Mailcow API + mailbox password from .env or Ansible vault.
# Usage: source scripts/load-mailcow-vault-env.sh [mailbox_local_part]
set -euo pipefail

REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
VAULT_FILE="${REPO_ROOT}/inventories/production/group_vars/all/vault.yml"
VAULT_PASS="${HOME}/.ansible-vault-pass"
ANSIBLE_VAULT="${REPO_ROOT}/.venv/bin/ansible-vault"
MAILBOX_KEY="${1:-${MAILBOX:-${MAILBOX_LOCAL_PART:-}}}"

set -a
[ -f "${REPO_ROOT}/.env" ] && . "${REPO_ROOT}/.env"
set +a

if [[ -n "${MAILCOW_API_KEY:-}" && -n "${MAILBOX_PASSWORD:-${ALERTS_PASSWORD:-}}" ]]; then
  export MAILBOX_PASSWORD="${MAILBOX_PASSWORD:-${ALERTS_PASSWORD:-}}"
  return 0 2>/dev/null || exit 0
fi

if [[ ! -f "${VAULT_FILE}" ]] || [[ ! -f "${VAULT_PASS}" ]]; then
  return 0 2>/dev/null || exit 0
fi

eval "$("${REPO_ROOT}/.venv/bin/python3" - "${VAULT_FILE}" "${VAULT_PASS}" "${ANSIBLE_VAULT}" "${MAILBOX_KEY}" <<'PY'
import os, subprocess, sys, yaml, shlex

vault_file, vault_pass, ansible_vault, mailbox_key = sys.argv[1:5]
text = subprocess.check_output(
    [ansible_vault, "view", vault_file, "--vault-password-file", vault_pass],
    text=True,
)
data = yaml.safe_load(text) or {}
out = []
api = data.get("vault_mailcow_api_key") or ""
if api:
    out.append("export MAILCOW_API_KEY=" + shlex.quote(str(api)))
passwords = data.get("vault_mailcow_mailbox_passwords") or {}
pw = ""
if mailbox_key and mailbox_key in passwords:
    pw = passwords[mailbox_key]
elif mailbox_key == "alerts":
    pw = data.get("vault_alerts_mailbox_password") or passwords.get("alerts", "")
if pw:
    out.append("export MAILBOX_PASSWORD=" + shlex.quote(str(pw)))
    out.append("export ALERTS_PASSWORD=" + shlex.quote(str(pw)))
print("\n".join(out))
PY
)"

return 0 2>/dev/null || exit 0