From a09cd9dab2ef0427334a757e285b61b7ea5f7e4a Mon Sep 17 00:00:00 2001
From: Jacob Babor <jacob@babor.tech>
Date: Sat, 23 Jul 2022 18:04:15 -0500
Subject: [PATCH] Use a well-known vault password file location I caved

---
 .gitlab-ci.yml | 20 ++++++++++----------
 ansible.cfg    |  2 ++
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6c39495..8a9dab4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,9 +17,9 @@ before_script:
   - mkdir -p ~/.ssh
   - chmod -R 0700 ~/.ssh
   # Dump the vault password
-  - touch /vaultpw
-  - chmod 0600 /vaultpw
-  - echo "$ANSIBLE_VAULT_PASSWORD" > /vaultpw
+  - touch ~/.vault_pass
+  - chmod 0600 ~/.vault_pass
+  - echo "$ANSIBLE_VAULT_PASSWORD" > ~/.vault_pass
   # Fix perms on the playbook root
   - chmod -R 0750 .
   # Join the Zerotier management network
@@ -61,7 +61,7 @@ Test:
   except:
     - pipelines
   script:
-    - ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw || error="$?"
+    - ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass || error="$?"
     - if [ "$error" -eq 4 ]; then echo "Some hosts were unreachable; masking error"; unset error; fi
     - if [ -n "$error" ]; then echo "Return code $error"; false; fi
 
@@ -69,29 +69,29 @@ Test:
 Local:
   stage: play-pre
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Pre:
   stage: play-pre
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 
 # MAIN CONFIGURATION
 Main:
   stage: play-main
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Common:
   stage: play-main
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Nagios:
   stage: play-main
   retry: 1
   script:
-    - ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 
 # CLEANUP
 Cleanup:
   stage: play-post
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
diff --git a/ansible.cfg b/ansible.cfg
index 674924b..eb3ef57 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -29,6 +29,8 @@ system_warnings = true
 # We set this to avoid circumstances in which we time out waiting for a privesc
 # prompt. Zerotier, as a management network, can be a bit slow at times.
 timeout = 60
+# Bad
+vault_password_file = ~/.vault_pass
 
 [diff]
 always = true