summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSacha Chua <sacha@sachachua.com>2023-10-17 11:58:25 -0400
committerSacha Chua <sacha@sachachua.com>2023-10-17 11:58:25 -0400
commit6f128bfc6c0172e05fc581a7150258d4dc978031 (patch)
tree56c83750b229bb86503a7ceecc0003c02e88fffb
parent6fe0f9221ee5b2b8b3be019aed32b5264111099f (diff)
downloademacsconf-ansible-6f128bfc6c0172e05fc581a7150258d4dc978031.tar.xz
emacsconf-ansible-6f128bfc6c0172e05fc581a7150258d4dc978031.zip
handle vault password
Diffstat (limited to '')
-rw-r--r--README.org45
-rw-r--r--ansible.cfg3
-rw-r--r--inventory.yml9
3 files changed, 46 insertions, 11 deletions
diff --git a/README.org b/README.org
index aabeedb..a5f8764 100644
--- a/README.org
+++ b/README.org
@@ -15,6 +15,32 @@ Docker: needs docker-vars.yml, see docker-vars.yml.sample
Debugging: add -v or -vv to the =ansible-playbook= command.
+* Setting up a vault
+:PROPERTIES:
+:CUSTOM_ID: vault
+:END:
+
+You can store passwords in vault files if you like. [[https://stackoverflow.com/questions/37297249/how-to-store-ansible-become-pass-in-a-vault-and-how-to-use-it][More info]]
+
+Put this text into =host_vars/media/plain= and =host_vars/upload/plain=:
+
+#+begin_example
+ansible_become_pass: "{{ vaulted_become_pass }}"
+#+end_example
+
+Use =ansible-vault create host_vars/media/crypted= and =ansible-vault create host_vars/upload/crypted= to create files with the contents:
+
+#+begin_example
+vaulted_become_pass: "yourpasswordhere"
+#+end_example
+
+To set the password for this console session:
+
+#+begin_src sh :eval no
+ export ANSIBLE_PASSWORD=...
+#+end_src
+
+
* Processes
At the start of the conference preparation period, change
@@ -92,11 +118,23 @@ Then call =process-prerec.sh $file=. It will launch some screen sessions for ree
* Setting up the backstage area
1. Doublecheck the host in [[file:inventory.yml]] and the variables in [[file:roles/media/defaults/main.yml]].
-2. ansible-playbook -i inventory.yml prod-playbook.yml --tags media
+2. ansible-playbook -i inventory.yml prod-playbook.yml --tags media --ask-become-pass
+ (or =ansible-playbook -i inventory.yml prod-playbook.yml --tags media --ask-vault-pass= if you've [[#vault][stored it in a vault]])
3. Update the following variables in your Emacs configuration:
- emacsconf-backstage-dir
- emacsconf-backstage-phase
-
+* Upload service
+
+=ansible-playbook -i inventory.yml prod-playbook.yml --tags upload --ask-become-pass=
+(or =ansible-playbook -i inventory.yml prod-playbook.yml --tags upload --ask-vault-pass= if you've [[#vault][stored it in a vault]])
+
+/ssh:media|sudo:upload@media:~upload
+/ssh:media|sudo::/etc/nginx/sites-available
+
+sudo service upload start
+
+Next step, check firewall
+
* Publishing
Goals:
@@ -202,10 +240,7 @@ https://gist.github.com/aaronpk/7307172
ansible-playbook -i inventory.yml prod-playbook.yml --tags proxy --extra-vars='{"use_wikimedia": false}'
ansible-playbook -i inventory.yml prod-playbook.yml --tags proxy --extra-vars='{"use_wikimedia": true}'
-* Upload
-/ssh:media|sudo:upload@media:~upload
-/ssh:media|sudo::/etc/nginx/sites-available
* Stream
** Prod
Setting up icecast:
diff --git a/ansible.cfg b/ansible.cfg
index 9e9fd55..0a4935a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,2 +1,3 @@
[defaults]
-ansible_managed = This file is managed by Ansible. Please make sure your changes are reflected in git@git.emacsconf.org:pub/emacsconf-ansible . \ No newline at end of file
+ansible_managed = This file is managed by Ansible. Please make sure your changes are reflected in git@git.emacsconf.org:pub/emacsconf-ansible .
+vault_password_file = ./.vault_pass \ No newline at end of file
diff --git a/inventory.yml b/inventory.yml
index 98c4e2a..6d87c8f 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -32,15 +32,14 @@ prod:
ansible_become: true
media:
ansible_host: media.emacsconf.org
- remote_user: orga
- ansible_ssh_user: orga
+ remote_user: sachac
+ ansible_ssh_user: sachac
ansible_python_interpreter: /usr/bin/python3
ansible_become: true
- host_name: media.emacsconf.org
upload:
ansible_host: media.emacsconf.org
- remote_user: orga
- ansible_ssh_user: orga
+ remote_user: sachac
+ ansible_ssh_user: sachac
ansible_python_interpreter: /usr/bin/python3
ansible_become: true
stream: