Page MenuHomePhabricator

Use user-based password vaults for server setup playbooks
Closed, DeclinedPublic

Description

As an administrator,
I want sudo passwords to be stored in ansible vaults,
so that I'm only required to provide the vault password to carry out server setup tasks.

Acceptance Criteria:

  • Playbooks that provision multiple servers run without errors, even if there are different sudo passwords on each involved machine.
  • The user deploy on the deployment machine has prepared password vault(s) for each machine in its working copy of the fundraising-infrastructure repository.
  • The usage of the password vault(s) is documented in the fundraising-infrastructure repository.

Background:

  • Almost all of the server setup playbooks use the role backup_user. It contains a task that sets the public SSH key of the backup user's as an authorized key on the backup server. If the passwords of the machines are not equal, the playbook fails to run. Thus, the playbooks can currently only be run if the machines share the same password.
  • It seems that the necessary vaults for the machines/host "groups" are not known to the playbook/role, when using delegate_to.
  • We need to work around the fact, that
    • we might not want to use host_vars/
    • the file names in group_vars/ that are required by convention (group_name.yml) are already in use by other files defining non-secret variables.
  • http://docs.ansible.com/ansible/playbooks_vault.html
  • http://serverfault.com/questions/560106/how-can-i-implement-ansible-with-per-host-passwords-securely

Event Timeline

Authentication data for setting up the system is now obsolete beause we're using managed hosting.
Authentication data for deployment is stored in our shared and encrypted password store.