infra/roles/infra-control/tasks/extract_secret.yml

---

# extract secret from the pass(1) storage

- name: "check if the secret {{ item.id }} exists"
  stat:
    path: "{{ lookup('env', 'PASSWORD_STORE_DIR') }}/{{ item.id }}.gpg"
    get_checksum: false
    get_mime: false
  register: st_secret

- name: "check if the plaintext destination {{ item.dest }} exists"
  stat:
    path: "{{ item.dest }}"
    get_checksum: false
    get_mime: false
  register: plaintext_st_secret
  failed_when: false

- name: create a directory for the plaintext secret
  file:
    path: "{{ item.dest|dirname }}"
    state: directory
    mode: 0700

- set_fact:
    secret_up2date: true
  when: plaintext_st_secret.stat.exists|bool and plaintext_st_secret.stat.mtime > st_secret.stat.mtime

- name: "decrypt the secret {{ item.id }}"
  shell: >
    set -e &&
    umask 0077 &&
    pass {{ item.id }} > {{ item.dest }}.tmp &&
    mv {{ item.dest }}.tmp {{ item.dest }}
  when: not(secret_up2date|default('false')|bool)