107 lines
2.1 KiB
ReStructuredText
107 lines
2.1 KiB
ReStructuredText
.. page:: titlePage
|
|
|
|
.. class:: centredtitle
|
|
|
|
Keeping secrets with Ansible Vault
|
|
|
|
.. page:: standardPage
|
|
|
|
.. code-block:: yaml
|
|
|
|
---
|
|
vars:
|
|
mysql_databases:
|
|
- name: main
|
|
|
|
mysql_users:
|
|
- name: user
|
|
password: secret
|
|
priv: main.*:ALL
|
|
|
|
.. page::
|
|
|
|
.. code-block:: yaml
|
|
|
|
# provision_vault.yml
|
|
|
|
---
|
|
vault_database_name: main
|
|
vault_database_user: user
|
|
vault_database_password: secret
|
|
|
|
.. page:: titlePage
|
|
|
|
.. class:: centredtitle
|
|
|
|
``ansible-vault encrypt
|
|
provision_vault.yml``
|
|
|
|
.. class:: centredtitle
|
|
|
|
``New Vault password:
|
|
Confirm New Vault password:
|
|
Encryption successful``
|
|
|
|
.. page:: standardPage
|
|
|
|
.. code-block::
|
|
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
63656632326165643137646334343537396533656565313032363262623962393861666438393539
|
|
6366336638316133373061306332303761383565343035330a373637373830356430353630356161
|
|
32313831663039343733343539636365386333303862363635323138346137666166356639323338
|
|
3264636538356634390a343766353661386666376362376439386630363664616166643364366335
|
|
62373530393933373830306338386539626565313364643133666131613138383431353638636334
|
|
39376437633462373934313236363662633832643138386433646230313465383337373031373137
|
|
61353963623364393134386335373731356337366464633531656435383161656435313530363234
|
|
37373865393839616534353165656463313961333532363537383263343364646534333032336337
|
|
3235
|
|
|
|
.. page::
|
|
|
|
.. code-block:: yaml
|
|
|
|
# provision_vars.yml
|
|
|
|
---
|
|
database_name: '{{ vault_database_name }}'
|
|
database_user: '{{ vault_database_user }}'
|
|
database_password: '{{ vault_database_password }}'
|
|
|
|
.. page::
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
# provision.yml
|
|
|
|
---
|
|
vars_files:
|
|
- vars/provision_vault.yml
|
|
- vars/provision_vars.yml
|
|
|
|
vars:
|
|
mysql_databases:
|
|
- '{{ database_name }}'
|
|
|
|
mysql_users:
|
|
- name: '{{ database_user }}'
|
|
password: '{{ database_password }}'
|
|
priv: '{{ database_name }}.*:ALL'
|
|
|
|
.. page:: titlePage
|
|
|
|
.. class:: centredtitle
|
|
|
|
``ansible-playbook deploy.yml
|
|
-i hosts.yml
|
|
--ask-vault-pass``
|
|
|
|
.. page::
|
|
.. class:: centredtitle
|
|
|
|
``ansible-playbook deploy.yml
|
|
-i hosts.yml
|
|
--vault-password-file secret.txt``
|
|
|