Use a well-known vault password file location

I caved

.gitlab-ci.yml

@@ -17,9 +17,9 @@ before_script:
   - mkdir -p ~/.ssh
   - chmod -R 0700 ~/.ssh
   # Dump the vault password
-  - touch /vaultpw
-  - chmod 0600 /vaultpw
-  - echo "$ANSIBLE_VAULT_PASSWORD" > /vaultpw
+  - touch ~/.vault_pass
+  - chmod 0600 ~/.vault_pass
+  - echo "$ANSIBLE_VAULT_PASSWORD" > ~/.vault_pass
   # Fix perms on the playbook root
   - chmod -R 0750 .
   # Join the Zerotier management network
@@ -61,7 +61,7 @@ Test:
   except:
     - pipelines
   script:
-    - ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw || error="$?"
+    - ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass || error="$?"
     - if [ "$error" -eq 4 ]; then echo "Some hosts were unreachable; masking error"; unset error; fi
     - if [ -n "$error" ]; then echo "Return code $error"; false; fi
 
@@ -69,29 +69,29 @@ Test:
 Local:
   stage: play-pre
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Pre:
   stage: play-pre
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 
 # MAIN CONFIGURATION
 Main:
   stage: play-main
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Common:
   stage: play-main
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 Nagios:
   stage: play-main
   retry: 1
   script:
-    - ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
 
 # CLEANUP
 Cleanup:
   stage: play-post
   script:
-    - ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file /vaultpw
+    - ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass

ansible.cfg

@@ -29,6 +29,8 @@ system_warnings = true
 # We set this to avoid circumstances in which we time out waiting for a privesc
 # prompt. Zerotier, as a management network, can be a bit slow at times.
 timeout = 60
+# Bad
+vault_password_file = ~/.vault_pass
 
 [diff]
 always = true