From 1683482dd3f5385d34ed2c32f404161812a7fbc6 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Fri, 29 Jan 2021 22:27:04 +0100 Subject: [PATCH] setup new vault --- .gitignore | 3 ++- README.md | 9 +++++++++ ansible.cfg | 3 ++- group_vars/all/user_vault | 8 ++++++++ roles/create_users/tasks/main.yml | 16 ++++++++++++++++ users.yml | 6 ++++++ 6 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 group_vars/all/user_vault create mode 100644 roles/create_users/tasks/main.yml create mode 100644 users.yml diff --git a/.gitignore b/.gitignore index 65a5ef9..144b5a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ # ---> Ansible *.retry -.vault_password +.main_vault_password +.user_vault_password diff --git a/README.md b/README.md index 2f3cc08..4e1a988 100644 --- a/README.md +++ b/README.md @@ -26,3 +26,12 @@ ssh-add ansible all -m ping # or whatever you want to do with ansible exit ``` + +## Vault managment + +To use multiple vaults with multiple password, we use vault id. +The mapping vault-id@password-file is done in ansible.cfg under [defaults] in vault_identity_list: +`vault_identity_list = main_vault@.main_vault_password , user_vault@.user_vault_password` + +To create a new vault with an id and password registered in ansible.cfg: +`ansible-vault create --encrypt-vault-id user_vault group_vars/all/user_vault` diff --git a/ansible.cfg b/ansible.cfg index 7b4064a..f65041e 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -20,7 +20,8 @@ forks = 15 # Some SSH connection will take time timeout = 60 -vault_password_file = .vault_password +vault_identity_list = main_vault@.main_vault_password , user_vault@.user_vault_password +#vault_password_file = .vault_password [privilege_escalation] diff --git a/group_vars/all/user_vault b/group_vars/all/user_vault new file mode 100644 index 0000000..53181a6 --- /dev/null +++ b/group_vars/all/user_vault @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.2;AES256;user_vault +37313030326130633030646433616330333664343237343231353463376434343938353766356464 +3731313633666539353130376139306663653336356363640a643465666563366635343763643931 +61383664353531643035333033623865396562613562353438666264343334613461626130386566 +3637656132353236660a366562633064333034633464343661663538353263643237313735366435 +38393639326233333938636636396363666536366139623666653434316537326430333333376638 +37663734653162633462653864353663323564623639313639326435313939336162643935383831 +303931333131396565393336653732626134 diff --git a/roles/create_users/tasks/main.yml b/roles/create_users/tasks/main.yml new file mode 100644 index 0000000..33c40d2 --- /dev/null +++ b/roles/create_users/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +#- name: Generate user +# user: +# name: "{{ item.name }}" +# group: "{{ item.groups }}" +# loop: "{{ uservault_users }}" +# +- name: Test + debug: + msg: "{{ item.name }}" + loop: "{{ uservault_users }}" + +- name: Test name + debug: + msg: "{{ vault_email }}" diff --git a/users.yml b/users.yml new file mode 100644 index 0000000..bdc20bf --- /dev/null +++ b/users.yml @@ -0,0 +1,6 @@ +#!/usr/bin/env ansible-playbook +--- + +- hosts: all + roles: + - create_users