rohrschacht/netcup-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
netcup-setup/ansible
History
Tobias Petrich 4b8a8d11c1
add authentik and sso-enabled tandoor
2025-12-30 01:47:19 +01:00
..
inventories/production add authentik and sso-enabled tandoor 2025-12-30 01:47:19 +01:00
roles add authentik and sso-enabled tandoor 2025-12-30 01:47:19 +01:00
ansible.cfg automate vault password retrieval 2025-12-27 17:25:36 +01:00
lookup-secret-client.bash automate vault password retrieval 2025-12-27 17:25:36 +01:00
main.yml move to recommended file and directory structure 2025-12-27 02:06:33 +01:00
README.md make more idempotent and extend README.md 2025-12-27 17:46:43 +01:00

README.md

Ansible MicroOS VM setup

Description

(Vaulted) Variables for accessing the host with specific credentials are stored in the host_vars, they are handled as specific for how each user accesses a specific host.

(Vaulted) Variables for the services are stored in the group_vars, they are shared between all administrators of the host.

Vaults can be automatically decrypted using a GPG key (best using a connected Yubikey).

Requirements

Create vars and vault file for accessing the host following this structure. Adjust the username, become method and password.

inventories/production/host_vars/io/vars.yml:

---
ansible_user: tobias
ansible_become_method: sudo

inventories/production/host_vars/io/vault.yml: (create through ansible-vault create vault.yml with a strong password)

---
ansible_become_pass: EXAMPLE

Automatic vault decryption setup

Vaults can have a Vault ID, which is specified in the vault file. Just change the starting line in the file $ANSIBLE_VAULT;1.2;AES256 to $ANSIBLE_VAULT;1.2;AES256;podman_hosts.

Assumption: The GPG key ID intended for use is D5AF83DDD5F8523A.

Create an encrypted GPG file called vault-passwords.gpg for the GPG key you will be using with content like this:

VAULT_ID1 vault_password1
VAULT_ID2 vault_password2

This can be created ad-hoc using either fish or bash. Fish supports a command called psub which can be used to pipe the output of a command into a file securely. Bash can be used with a cat heredoc.

fish

gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg (psub)

Then in the psub editor, enter the content:

VAULT_ID1 vault_password1
VAULT_ID2 vault_password2

bash

gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg <<EOF
VAULT_ID1 vault_password1
VAULT_ID2 vault_password2
EOF

In the ansible.cfg, the passwords of vaults with specified IDs are configured to be retrieved from lookup-secret-client.bash, which in turn looks for the encrypted vault-passwords.gpg file.

If you add more vaults, add them line-by-line with their Vault ID and password to the encrypted vault-passwords.gpg file, and add them to the comma-separated list vault_identity_list in ansible.cfg.

Usage

ansible-playbook -i inventories/production/hosts.yml main.yml