rohrschacht/netcup-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
66d8951054
netcup-setup/ansible/README.md
Tobias Petrich 2b258105e8
make more idempotent and extend README.md
2025-12-27 17:46:43 +01:00

79 lines
2.3 KiB
Markdown
Raw Blame History

# Ansible MicroOS VM setup
## Description
(Vaulted) Variables for accessing the host with specific credentials are stored in the host_vars,
they are handled as specific for how each user accesses a specific host.
(Vaulted) Variables for the services are stored in the group_vars,
they are shared between all administrators of the host.
Vaults can be automatically decrypted using a GPG key (best using a connected Yubikey).
## Requirements
Create vars and vault file for accessing the host following this structure.
Adjust the username, become method and password.
`inventories/production/host_vars/io/vars.yml`:
```yaml
---
ansible_user: tobias
ansible_become_method: sudo
```
`inventories/production/host_vars/io/vault.yml`:
(create through `ansible-vault create vault.yml` with a strong password)
```yaml
---
ansible_become_pass: EXAMPLE
```
## Automatic vault decryption setup
Vaults can have a Vault ID, which is specified in the vault file. Just change the starting line in the file
`$ANSIBLE_VAULT;1.2;AES256` to `$ANSIBLE_VAULT;1.2;AES256;podman_hosts`.
Assumption: The GPG key ID intended for use is D5AF83DDD5F8523A.
Create an encrypted GPG file called `vault-passwords.gpg` for the GPG key you will be using with content like this:
```text
VAULT_ID1 vault_password1
VAULT_ID2 vault_password2
```
This can be created ad-hoc using either fish or bash.
Fish supports a command called `psub` which can be used to pipe the output of a command into a file securely.
Bash can be used with a cat heredoc.
### fish
```fish
gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg (psub)
```
Then in the psub editor, enter the content:
```text
VAULT_ID1 vault_password1
VAULT_ID2 vault_password2
```
### bash
```bash
gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg <<EOF
VAULT_ID1 vault_password1
VAULT_ID2 vault_password2
EOF
```
In the ansible.cfg, the passwords of vaults with specified IDs are configured to be retrieved from
`lookup-secret-client.bash`, which in turn looks for the encrypted `vault-passwords.gpg` file.
If you add more vaults, add them line-by-line with their Vault ID and password to the encrypted `vault-passwords.gpg`
file, and add them to the comma-separated list vault_identity_list in `ansible.cfg`.
## Usage
```shell
ansible-playbook -i inventories/production/hosts.yml main.yml
```
Reference in New Issue View Git Blame Copy Permalink