0

I'd like to deploy my webserver config with copy.

Is there any way to keep the SSL cert private key encrypted, and to decrypt it when the playbook is started?

The reason is that I want to to use Github's private repositories. But the file will still be in the cloud and one click away from exposure.

wishi
  • 211
  • 1
  • 2
  • 8
  • 1
    see http://stackoverflow.com/questions/22773294/how-to-upload-encrypted-file-using-ansible-vault – Federico Sierra Feb 16 '16 at 17:05
  • I somehow have to get something like that for files, when the certs are not inline in the playbook. – wishi Feb 16 '16 at 17:09
  • 1
    I don't think it possible with vault for now, see https://github.com/ansible/ansible/issues/7298, https://github.com/ansible/ansible/pull/13849 and https://github.com/ansible/ansible/pull/14079 – Federico Sierra Feb 16 '16 at 17:18

1 Answers1

1

Have a look at Ansible Vault.

Is short, it's a way to store encrypted YAML files, which can be decrypted directly by Ansible.

You then would run ansible with --ask-vault-pass:

ansible-playbook site.yml --ask-vault-pass
udondan
  • 2,001
  • 14
  • 18
  • Yes, that works if I have the cert in the playbook. But I want to copy a file. – wishi Feb 16 '16 at 17:09
  • You could get the same result by using the `lineinfile` module and writing the line from an ansible var which is stored in the encrypted file. – udondan Feb 16 '16 at 17:22
  • hmh I am new to Ansible. The file have to be used because there is a checker which makes sure they are valid etc. I guess I will use the command module and pipe the file through a decrypter – wishi Feb 16 '16 at 17:44
  • @udondanyou can also use "copy" to write a string, or a single var in a template. – tedder42 Feb 17 '16 at 05:21