# My first project - using vaults

When creating a project, we start defining the infrastructure layout via two files:

  - ansible.cfg
  - inventory


We're going to describe the following setup:

  - direct access to client machines (eg. no bastion)
  - one `inventory` file
  - no host_key_check
  - no retry files
  - client machine username/password is `root:root`
  - no public key is installed by default



In [7]:
cd /notebooks/exercise-01/

/notebooks/exercise-01


## Preparation

The first steps include creating:

 - all secret files (ssh identity, vault pin file)
 - ansible.cfg (the deployment descriptor) 
 - and the inventory.

In [8]:
# At first create a proper ssh key for the project
! rm id_ansible.pub id_ansible -rf

Now create a new ssh key for the project:

- the default name is `id_ansible`;
- the algorithm is `ed25519`, which is the most efficient one. For further information on ed25519 see [RFC8032](https://datatracker.ietf.org/doc/html/rfc8032).




In [None]:
! test -f id_ansible || ssh-keygen -q -t ed25519 -f id_ansible  -N ''

In [None]:
# Now a `secret` password ;) We'll reference this in ansible.cfg
!echo secret > .pin    

In [None]:
# then prepare a deployment descriptor referencing the .pin file
!cat ansible.cfg

#### Exercise

What is the meaning of the `-q` and `-N` options of `ssh-keygen`?

Hint: open a [terminal](/terminals/man) and use `man ssh-keygen`.


#### Exercise

 - use ansible docs or the web to comment properly all the [ansible.cfg](/edit/notebooks/exercise-01/ansible.cfg) params

In [None]:
# And in the end, the inventory. 
!cat inventory

## Gotta ping 'em all

Everything is set up now. 

Let's ping all hosts, eventually adjusting the ip ranges in the [inventory](/edit/notebooks/exercise-01/inventory).

Open a [terminal](/terminals/man) and use `docker inspect` to retrieve the container IPs.

In [None]:
# Let's get an error: root_password is UNDEFINED. 
!ansible -m ping all


## Vaults

We now ensure that everything is encrypted and we're able to connect to some hosts

In [None]:
# A vault is just a yaml file containing a dictionary of secrets.
#  We can put here as many information as we want, but for now
#  just put the `root_password`.

!echo "root_password: root" > vault.yml

In [None]:
# We need to encrypt it. 
!ansible-vault encrypt vault.yml

#### Exercise

  - which secret is used to encrypt vault.yml ?
  - where is it specified?
  - what happens if you try to re-encrypt the vault.yml

In [None]:
# And show the anatomy of the vault.
!cat vault.yml

In [None]:
# Can we decrypt it?
!ansible-vault view vault.yml

In [None]:
!ansible -m ping all -e@vault.yml

#### Exercise

 - How can you pass the vault password file from the command line?
 - Run ansible in verbose mode and check how ansible pass the password to ssh: does it use some helper program?

In [None]:
# Write answers here

## SSH Authentication

We want to switch from password to ssh authentication. Create a playbook to install ssh keys: it reads the password from vault.yml


In [None]:
!cat copy-key.yml

In [None]:
!cat id_ansible.pub

In [None]:
!ansible-playbook copy-key.yml

#### Exercise

Comment out the ansible_password field  [in `inventory` here](/edit/notebooks/exercise-01/inventory)

  - guess the expected output without running ansible
  
  

In [None]:
# Running in debug mode we can see all ssh arguments injected via anisble. Discuss the DEBUG output       
!sed -i 's/ansible_password/#ansible_password/' inventory
!ansible -vvv -m ping all

In [None]:
# Use this cell for the exercise

#### Exercise

Run ansible in verbose mode to se all the injected ssh argument. If the output is too verbose, reduce it either with:
    - `--limit ipaddress` to contact only one node
    - host indexing/subscript eg: `all[0]` 

# Discuss vaults for:
- common secrets to be shared on a repo
- private secrets to reside on local PC