take vault password from secret service

README.md

@@ -15,15 +15,6 @@ My current setup is [Linux Mint Vera](https://linuxmint.com/edition.php?id=302)
 - i3 app shortcuts
 - firefox config? extensions? host own synchronizer?
 
-Would like Ansible Vault to check in keypair for syncthing.
-However, then I would need a password to unlock the vault.
-As it is publicly available, password needs to be long and strong.
-I can just put it in my keepass, but can be annoying to copy every time.
-Therefore, I could make this available using Secret Service and write a script to fetch it.
-However, keepass cannot run secret service as Ubuntu already runs one.
-But if I disable that, my SSH agent does not work anymore.
-As an intermediate solution, I can just put the password in keepass...
-
 #### Neovim
 
 - More cool plugins :)

ansible.cfg

@@ -1,8 +1,8 @@
 [defaults]
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 inventory=inventory
-vault_password_file=./.vault_password
 playbook_dir=playbooks
+vault_password_file=util/secret-service-client.sh
 
 [privilege_escalation]
 become_ask_pass=true

roles/keepassxc/tasks/main.yml

@@ -1,7 +1,13 @@
+- name: Uninstall gnome-keyring
+  apt:
+    name: gnome-keyring
+    state: absent
 - name: Install Keepassxc
   become: true
   apt:
-    name: keepassxc
+    pkg:
+    - keepassxc
+    - libsecret-tools
 - name: Create keepassxc config directory
   file:
     path: ~/.config/keepassxc
@@ -21,3 +27,4 @@
     section: SSHAgent
     option: AuthSockOverride
     value: "{{ ssh_agent_socket }}"
+    no_extra_spaces: true

roles/system/tasks/main.yml

@@ -14,6 +14,7 @@
       - tree
       - wireshark
       - units
+      - unrar
 - name: Install .gitconfig
   template:
     src: "{{ role_path }}/templates/.gitconfig.j2"

util/secret-service-client.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+secret-tool lookup ansible_vault homeservers