From 4b4e0c81cb29e3dfd2af29191d190d2770955004 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Fri, 14 Feb 2020 15:40:31 -0600
Subject: [PATCH] Separate vault passwords from the playbooks, fix
 ansibleupdate cronjob Again

---
 ansible.cfg                              |  1 -
 ec2-deploy.sh                            | 10 ++++++++++
 ec2.yml                                  |  0
 localhost-deploy.sh                      | 10 ++++++++++
 localhost.yml                            |  0
 roles/ansiblehost/files/ansiblevaultpass |  6 ++++++
 roles/ansiblehost/tasks/main.yml         |  7 ++++++-
 7 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100755 ec2-deploy.sh
 mode change 100755 => 100644 ec2.yml
 create mode 100755 localhost-deploy.sh
 mode change 100755 => 100644 localhost.yml
 create mode 100644 roles/ansiblehost/files/ansiblevaultpass

diff --git a/ansible.cfg b/ansible.cfg
index 313fda5..37357d8 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -6,4 +6,3 @@ ssh_extra_args =-o ForwardAgent=yes -o StrictHostKeyChecking=no
 host_key_checking = false
 deprecation_warnings = false
 ask_become_pass = true
-ask_vault_pass = true
diff --git a/ec2-deploy.sh b/ec2-deploy.sh
new file mode 100755
index 0000000..23b82c4
--- /dev/null
+++ b/ec2-deploy.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+#
+# deploy.sh
+# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
+#
+# Distributed under terms of the MIT license.
+#
+
+ansible-playbook ec2.yml --ask-vault-pass
+
diff --git a/ec2.yml b/ec2.yml
old mode 100755
new mode 100644
diff --git a/localhost-deploy.sh b/localhost-deploy.sh
new file mode 100755
index 0000000..4f68fab
--- /dev/null
+++ b/localhost-deploy.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+#
+# deploy.sh
+# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
+#
+# Distributed under terms of the MIT license.
+#
+
+ansible-playbook localhost.yml --ask-vault-pass
+
diff --git a/localhost.yml b/localhost.yml
old mode 100755
new mode 100644
diff --git a/roles/ansiblehost/files/ansiblevaultpass b/roles/ansiblehost/files/ansiblevaultpass
new file mode 100644
index 0000000..0131d94
--- /dev/null
+++ b/roles/ansiblehost/files/ansiblevaultpass
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+31383561303637303735386663306631333063623336643030643634333262336664363461613239
+6230623439393465656161663432393732633662383833640a373433343236353835363130653937
+31346233663237383666306536633962613534623735366531666561656335393964316230633161
+3930636537313364380a376432363431346636363565383734613638316161643036623636656532
+66333038393738663464343534633766643734393165626538633962376161376262
diff --git a/roles/ansiblehost/tasks/main.yml b/roles/ansiblehost/tasks/main.yml
index b75e5c8..4ff2e39 100644
--- a/roles/ansiblehost/tasks/main.yml
+++ b/roles/ansiblehost/tasks/main.yml
@@ -39,6 +39,11 @@
       src: ansiblekey
       dest: ~/.ssh/ansible
       mode: "0600"
+  - name: Copy Ansible password file
+    copy:
+      src: ansiblevaultpass
+      dest: /root/ansiblevaultpass
+      mode: "0600"
   - name: Create system copy of Ansible repo
     git:
       force: true
@@ -49,5 +54,5 @@
       minute: "0"
       hour: "*/12"
       name: ansible-pull
-      job: "cd /opt/ansible-repo && /usr/local/bin/ansible-playbook ec2.yml > /var/log/ansible-pull.log 2>&1"
+      job: "cd /opt/ansible-repo && /usr/local/bin/ansible-playbook ec2.yml --vault-password-file /root/ansiblevaultpass > /var/log/ansible-pull.log 2>&1"
   become: true