45 lines
1.3 KiB
Markdown
45 lines
1.3 KiB
Markdown
# ansible
|
|
|
|
The ansible files for the pains-perdus infra.
|
|
|
|
## Deploy a playbook
|
|
|
|
`ansible-playbook playbook.yml`
|
|
|
|
Add `--check` to do a dry run
|
|
|
|
## Edit the vault
|
|
|
|
`ansible-vault edit group_vars/all/vault`
|
|
|
|
with the edditor defined in the env varible `$EDITOR` and the password of the vault in the file `.vault_password` (Carefull not to commit it!!!)
|
|
|
|
## SSH key whith passphrase
|
|
|
|
To avoid entering the passphrase of the ssh key for each host, we have to use an ssh-agent.
|
|
The ssh-agent with xonsh does not really works, so in my case I have to use ansible and the agent inside a sh process:
|
|
|
|
```
|
|
sh
|
|
eval `ssh-agent -s`
|
|
ssh-add
|
|
ansible all -m ping # or whatever you want to do with ansible
|
|
exit
|
|
```
|
|
|
|
## Vault managment
|
|
|
|
To use multiple vaults with multiple password, we use vault id.
|
|
The mapping vault-id@password-file is done in ansible.cfg under [defaults] in vault_identity_list:
|
|
`vault_identity_list = main_vault@.main_vault_password , user_vault@.user_vault_password`
|
|
|
|
To create a new vault with an id and password registered in ansible.cfg:
|
|
`ansible-vault create --encrypt-vault-id user_vault group_vars/all/user_vault`
|
|
|
|
## User managment
|
|
|
|
The user managment role allows to manage user.
|
|
|
|
Especially, it generate the described users on each hosts.
|
|
|
|
The password are stored in the variables in there hash form. The script `hash_passwd.py` can give you the hash of a password.
|