{{tag>Brouillon Ansible Vault MDP Jinja}}
= Notes ansible-vault
== Ansible-vault pour crypto chiffrement
Définir la clef
[[https://www.safaribooksonline.com/library/view/ansible-playbook-essentials/9781784398293/ch08s05.html|Adding the vault password file option to the Ansible configuration]]
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass
chmod 600 ~/.ansible/.vault_pass
''~/.ansible.cfg''
[defaults]
vault_password_file = $HOME/.ansible/.vault_pass
Changer le secret
mv ~/.ansible/.vault_pass ~/.ansible/.vault_pass.old
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass
chmod 600 ~/.ansible/.vault_pass*
ansible-vault rekey --vault-password-file=~/.ansible/.vault_pass.old --new-vault-password-file=~/.ansible/.vault_pass $(find . -type f -name "*.mdp.yml")
# shred -u ~/.ansible/.vault_pass
== Exemples
ansible-vault encrypt_string 'P@ssw0rd' --name 'mysql_pass_root'
mysql_pass_root: !vault |
$ANSIBLE_VAULT;1.1;AES256
31313332623736393962306239386565356536663533343665653565336265373265373166326565
6166646561303163376336363834636633373538346632310a356166393237333865623863336133
64343962336462356336303239663633316364393137633263366334376533303766393262653561
6638303531626238630a613161663932376333633539656334336465383238623330393832666136
6666
== Pb
=== secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode
Dans notre exemple **mysecret** est une chaine chiffrée par ansible-vault
fatal: [remote]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ mysecret | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}
==== Solution
Source : https://gist.github.com/douglasmiranda/f21a4481d372ae54fcf4a6ff32249949
- name: "Create main user"
user:
name: "myuser"
password: "{{ '%s' | format(mysecret) | password_hash('sha512') }}"
# ...