diff options
author | Sacha Chua <sacha@sachachua.com> | 2023-10-17 11:58:25 -0400 |
---|---|---|
committer | Sacha Chua <sacha@sachachua.com> | 2023-10-17 11:58:25 -0400 |
commit | 6f128bfc6c0172e05fc581a7150258d4dc978031 (patch) | |
tree | 56c83750b229bb86503a7ceecc0003c02e88fffb | |
parent | 6fe0f9221ee5b2b8b3be019aed32b5264111099f (diff) | |
download | emacsconf-ansible-6f128bfc6c0172e05fc581a7150258d4dc978031.tar.xz emacsconf-ansible-6f128bfc6c0172e05fc581a7150258d4dc978031.zip |
handle vault password
Diffstat (limited to '')
-rw-r--r-- | README.org | 45 | ||||
-rw-r--r-- | ansible.cfg | 3 | ||||
-rw-r--r-- | inventory.yml | 9 |
3 files changed, 46 insertions, 11 deletions
@@ -15,6 +15,32 @@ Docker: needs docker-vars.yml, see docker-vars.yml.sample Debugging: add -v or -vv to the =ansible-playbook= command. +* Setting up a vault +:PROPERTIES: +:CUSTOM_ID: vault +:END: + +You can store passwords in vault files if you like. [[https://stackoverflow.com/questions/37297249/how-to-store-ansible-become-pass-in-a-vault-and-how-to-use-it][More info]] + +Put this text into =host_vars/media/plain= and =host_vars/upload/plain=: + +#+begin_example +ansible_become_pass: "{{ vaulted_become_pass }}" +#+end_example + +Use =ansible-vault create host_vars/media/crypted= and =ansible-vault create host_vars/upload/crypted= to create files with the contents: + +#+begin_example +vaulted_become_pass: "yourpasswordhere" +#+end_example + +To set the password for this console session: + +#+begin_src sh :eval no + export ANSIBLE_PASSWORD=... +#+end_src + + * Processes At the start of the conference preparation period, change @@ -92,11 +118,23 @@ Then call =process-prerec.sh $file=. It will launch some screen sessions for ree * Setting up the backstage area 1. Doublecheck the host in [[file:inventory.yml]] and the variables in [[file:roles/media/defaults/main.yml]]. -2. ansible-playbook -i inventory.yml prod-playbook.yml --tags media +2. ansible-playbook -i inventory.yml prod-playbook.yml --tags media --ask-become-pass + (or =ansible-playbook -i inventory.yml prod-playbook.yml --tags media --ask-vault-pass= if you've [[#vault][stored it in a vault]]) 3. Update the following variables in your Emacs configuration: - emacsconf-backstage-dir - emacsconf-backstage-phase - +* Upload service + +=ansible-playbook -i inventory.yml prod-playbook.yml --tags upload --ask-become-pass= +(or =ansible-playbook -i inventory.yml prod-playbook.yml --tags upload --ask-vault-pass= if you've [[#vault][stored it in a vault]]) + +/ssh:media|sudo:upload@media:~upload +/ssh:media|sudo::/etc/nginx/sites-available + +sudo service upload start + +Next step, check firewall + * Publishing Goals: @@ -202,10 +240,7 @@ https://gist.github.com/aaronpk/7307172 ansible-playbook -i inventory.yml prod-playbook.yml --tags proxy --extra-vars='{"use_wikimedia": false}' ansible-playbook -i inventory.yml prod-playbook.yml --tags proxy --extra-vars='{"use_wikimedia": true}' -* Upload -/ssh:media|sudo:upload@media:~upload -/ssh:media|sudo::/etc/nginx/sites-available * Stream ** Prod Setting up icecast: diff --git a/ansible.cfg b/ansible.cfg index 9e9fd55..0a4935a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,3 @@ [defaults] -ansible_managed = This file is managed by Ansible. Please make sure your changes are reflected in git@git.emacsconf.org:pub/emacsconf-ansible .
\ No newline at end of file +ansible_managed = This file is managed by Ansible. Please make sure your changes are reflected in git@git.emacsconf.org:pub/emacsconf-ansible . +vault_password_file = ./.vault_pass
\ No newline at end of file diff --git a/inventory.yml b/inventory.yml index 98c4e2a..6d87c8f 100644 --- a/inventory.yml +++ b/inventory.yml @@ -32,15 +32,14 @@ prod: ansible_become: true media: ansible_host: media.emacsconf.org - remote_user: orga - ansible_ssh_user: orga + remote_user: sachac + ansible_ssh_user: sachac ansible_python_interpreter: /usr/bin/python3 ansible_become: true - host_name: media.emacsconf.org upload: ansible_host: media.emacsconf.org - remote_user: orga - ansible_ssh_user: orga + remote_user: sachac + ansible_ssh_user: sachac ansible_python_interpreter: /usr/bin/python3 ansible_become: true stream: |