Separate vault passwords from the playbooks, fix ansibleupdate cronjob

Again
This commit is contained in:
Salt 2020-02-14 15:40:31 -06:00
parent b54f52b47b
commit 4b4e0c81cb
7 changed files with 32 additions and 2 deletions

View File

@ -6,4 +6,3 @@ ssh_extra_args =-o ForwardAgent=yes -o StrictHostKeyChecking=no
host_key_checking = false host_key_checking = false
deprecation_warnings = false deprecation_warnings = false
ask_become_pass = true ask_become_pass = true
ask_vault_pass = true

10
ec2-deploy.sh Executable file
View File

@ -0,0 +1,10 @@
#! /bin/sh
#
# deploy.sh
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
ansible-playbook ec2.yml --ask-vault-pass

0
ec2.yml Executable file → Normal file
View File

10
localhost-deploy.sh Executable file
View File

@ -0,0 +1,10 @@
#! /bin/sh
#
# deploy.sh
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
ansible-playbook localhost.yml --ask-vault-pass

0
localhost.yml Executable file → Normal file
View File

View File

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
31383561303637303735386663306631333063623336643030643634333262336664363461613239
6230623439393465656161663432393732633662383833640a373433343236353835363130653937
31346233663237383666306536633962613534623735366531666561656335393964316230633161
3930636537313364380a376432363431346636363565383734613638316161643036623636656532
66333038393738663464343534633766643734393165626538633962376161376262

View File

@ -39,6 +39,11 @@
src: ansiblekey src: ansiblekey
dest: ~/.ssh/ansible dest: ~/.ssh/ansible
mode: "0600" mode: "0600"
- name: Copy Ansible password file
copy:
src: ansiblevaultpass
dest: /root/ansiblevaultpass
mode: "0600"
- name: Create system copy of Ansible repo - name: Create system copy of Ansible repo
git: git:
force: true force: true
@ -49,5 +54,5 @@
minute: "0" minute: "0"
hour: "*/12" hour: "*/12"
name: ansible-pull name: ansible-pull
job: "cd /opt/ansible-repo && /usr/local/bin/ansible-playbook ec2.yml > /var/log/ansible-pull.log 2>&1" job: "cd /opt/ansible-repo && /usr/local/bin/ansible-playbook ec2.yml --vault-password-file /root/ansiblevaultpass > /var/log/ansible-pull.log 2>&1"
become: true become: true