axilleas / ansible-bootstrap Goto Github PK

Table of Contents generated with DocToc

• Prerequisites
• File list
• Instructions
  • Vault password
  • secrets.yml

Some basic stuff to bootstrap a standalone ansible repo.

1. Ansible
2. At least one gpg key to use with ansible-vault

1. bin/{ansible-test,open_the_vault.sh}
2. ansible.cfg
3. secrets.yml
4. deploy.yml
5. vault-passwd.gpg (not in the ansible-bootstrap repo, read below)

Using the method described in Eric Call's blog post, generate a strong password to use with ansible-vault in order to encrypt secrets.yml and everything else needed. This will be stored in a gpg encrypted file:

pwgen -sy 64 | head -n42 | gpg -e -o vault-passwd.gpg

The above command will ask you which IDs to use with the encryption. That way you can add multiple collaborators. Enter all the e-mail addresses you want and finalize the encryption with a blank entry.

Now every time you run ansible-playbook, ansible will look in ansible.cfg, run the script in /bin/open_the_vault.sh and feed the passphrase to ansible-vault.

Finally, add vault-passwd.gpg in git control.

Note: open_the_vault.sh needs to be executable.

Place here any role variables. A convention to know when a variable is secret, is to define it in uppercase. For example:

MARIADB_DB_PASSWD: "OzO=Qeg*IJQ"

Then in roles/mariadb/vars/main.yml define the database password like:

db_passwd: "{{ MARIADB_DB_PASSWD }}"

which then can be called in your tasks.

The secrets.yml is always loaded in the general playbook deploy.yml.

Finally, encrypt secrets.yml with ansible-vault:

ansible-vault encrypt secrets.yml

which will encrypt the file with the password defined in the previous section. When prompted, enter your gpg password.