Table of Contents generated with DocToc
Some basic stuff to bootstrap a standalone ansible repo.
- Ansible
- At least one gpg key to use with ansible-vault
bin/{ansible-test,open_the_vault.sh}ansible.cfgsecrets.ymldeploy.ymlvault-passwd.gpg(not in the ansible-bootstrap repo, read below)
Using the method described in Eric Call's blog post, generate a
strong password to use with ansible-vault in order to encrypt
secrets.yml and everything else needed. This will be stored in a gpg
encrypted file:
pwgen -sy 64 | head -n42 | gpg -e -o vault-passwd.gpg
The above command will ask you which IDs to use with the encryption. That way you can add multiple collaborators. Enter all the e-mail addresses you want and finalize the encryption with a blank entry.
Now every time you run ansible-playbook, ansible will look in ansible.cfg,
run the script in /bin/open_the_vault.sh and feed the passphrase to
ansible-vault.
Finally, add vault-passwd.gpg in git control.
Note: open_the_vault.sh needs to be
executable.
Place here any role variables. A convention to know when a variable is secret, is to define it in uppercase. For example:
MARIADB_DB_PASSWD: "OzO=Qeg*IJQ"Then in roles/mariadb/vars/main.yml define the database password like:
db_passwd: "{{ MARIADB_DB_PASSWD }}"which then can be called in your tasks.
The secrets.yml is always loaded in the general playbook deploy.yml.
Finally, encrypt secrets.yml with ansible-vault:
ansible-vault encrypt secrets.yml
which will encrypt the file with the password defined in the previous section. When prompted, enter your gpg password.