The ansible files for the pains-perdus infra.
Find a file
2022-07-21 16:26:21 +02:00
books remade base playbook and roles 2022-07-21 15:19:24 +02:00
group_vars/all fixed bug with authorized keys directory permissions 2022-07-21 16:26:21 +02:00
host_vars fixed bug with authorized keys directory permissions 2022-07-21 16:26:21 +02:00
roles fixed bug with authorized keys directory permissions 2022-07-21 16:26:21 +02:00
utils add script to generate vpn keys 2021-04-23 15:12:12 +02:00
.gitignore add keys 2021-04-22 22:12:57 +02:00
.gitmodules Added submodule for telegram bridge 2022-03-22 20:11:47 -04:00
ansible.cfg started big cleanup 2022-07-19 11:44:55 +02:00
hosts remade base playbook and roles 2022-07-21 15:19:24 +02:00
LICENSE Initial commit 2020-10-05 09:38:11 +02:00
README.md started big cleanup 2022-07-19 11:44:55 +02:00
run_playbook centralize the declaration of the intranet ip plan 2021-04-23 19:14:28 +02:00
TODO.md toto list 2021-08-02 03:39:11 +02:00
vault-client.sh started big cleanup 2022-07-19 11:44:55 +02:00

ansible

The ansible files for the pains-perdus infra.

Deploy a playbook

ansible-playbook playbook.yml

Add --check to do a dry run

Edit the vault

ansible-vault edit group_vars/all/vault

with the edditor defined in the env varible $EDITOR and the password of the vault in the file .vault_password (Carefull not to commit it!!!)

SSH key whith passphrase

To avoid entering the passphrase of the ssh key for each host, we have to use an ssh-agent. The ssh-agent with xonsh does not really works, so in my case I have to use ansible and the agent inside a sh process:

sh
eval `ssh-agent -s`
ssh-add
ansible all -m ping # or whatever you want to do with ansible
exit

Vault managment

To use multiple vaults with multiple password, we use vault id. The mapping vault-id@password-file is done in ansible.cfg under [defaults] in vault_identity_list: vault_identity_list = main_vault@.main_vault_password , user_vault@.user_vault_password

To create a new vault with an id and password registered in ansible.cfg: ansible-vault create --encrypt-vault-id user_vault group_vars/all/user_vault

User managment

The user managment role allows to manage user.

Especially, it generate the described users on each hosts.

The password are stored in the variables in there hash form. The script hash_passwd.py can give you the hash of a password.

Passwords

keyring set ansible-painsperdus vault-default the_vault_password keyring set ansible-painsperdus become your_password