books | ||
group_vars | ||
host_vars | ||
roles | ||
utils | ||
.gitignore | ||
.gitmodules | ||
ansible.cfg | ||
hosts | ||
LICENSE | ||
README.md | ||
run_playbook | ||
TODO.md | ||
vault-client.sh |
ansible
The ansible files for the pains-perdus infra.
Deploy a playbook
ansible-playbook playbook.yml
Add --check
to do a dry run
Edit the vault
ansible-vault edit group_vars/all/vault
with the edditor defined in the env varible $EDITOR
and the password of the vault in the file .vault_password
(Carefull not to commit it!!!)
SSH key whith passphrase
To avoid entering the passphrase of the ssh key for each host, we have to use an ssh-agent. The ssh-agent with xonsh does not really works, so in my case I have to use ansible and the agent inside a sh process:
sh
eval `ssh-agent -s`
ssh-add
ansible all -m ping # or whatever you want to do with ansible
exit
Vault managment
To use multiple vaults with multiple password, we use vault id.
The mapping vault-id@password-file is done in ansible.cfg under [defaults] in vault_identity_list:
vault_identity_list = main_vault@.main_vault_password , user_vault@.user_vault_password
To create a new vault with an id and password registered in ansible.cfg:
ansible-vault create --encrypt-vault-id user_vault group_vars/all/user_vault
User managment
The user managment role allows to manage user.
Especially, it generate the described users on each hosts.
The password are stored in the variables in there hash form. The script hash_passwd.py
can give you the hash of a password.
Passwords
keyring set ansible-painsperdus vault-default the_vault_password
keyring set ansible-painsperdus become your_password