ansible: store host password
This commit is contained in:
75
system/ansible/store_password.md
Normal file
75
system/ansible/store_password.md
Normal file
@@ -0,0 +1,75 @@
|
|||||||
|
---
|
||||||
|
title: "Store Host Password"
|
||||||
|
tags: [ "system", "ansible" ]
|
||||||
|
---
|
||||||
|
|
||||||
|
Make a hosts file with one host (your computer) and one variable, just to test:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
hosts_file=hosts
|
||||||
|
fort="$(fortune -s | head -1)"
|
||||||
|
cowvar=cowsays
|
||||||
|
|
||||||
|
echo "[cows]
|
||||||
|
$HOSTNAME $cowvar='${fort}'" > "${hosts_file}"
|
||||||
|
```
|
||||||
|
|
||||||
|
Now ansible should be able to show that '${cowvar}' in a debug message:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ansible -i "$hosts_file" -m debug -a "msg='{{ ${cowvar} }}'" $HOSTNAME
|
||||||
|
```
|
||||||
|
|
||||||
|
Now to convert the hosts file to yaml, because it's very fashionable:
|
||||||
|
|
||||||
|
|
||||||
|
```sh
|
||||||
|
yaml_hosts=hosts.yaml
|
||||||
|
ansible-inventory -i ${hosts_file} --list -y | tee "${yaml_hosts}"
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you should see where the `cowsays` variable goes.
|
||||||
|
You can safely place your `sudo` password next to that variable goes with `ansible-vault`, which will encrypt just that string.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
pass="your password"
|
||||||
|
ansible-vault encrypt_string --name='ansible_sudo_pass' "${pass}"
|
||||||
|
```
|
||||||
|
|
||||||
|
If that works, you can add the password, but in `yaml` format.
|
||||||
|
You can do this manually, or use `gawk` to add ten spaces in front of the lines:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
pass="your password"
|
||||||
|
ansible-vault encrypt_string --name='ansible_sudo_pass' "${pass}" | awk '{print " " $0}' >> "${yaml_hosts}"
|
||||||
|
```
|
||||||
|
|
||||||
|
Now to check that the inventory file works okay:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ansible-inventory -i ${yaml_hosts} --list -y
|
||||||
|
ansible -i "$hosts_file" -m debug -a "msg='{{ ${cowvar} }}'" $HOSTNAME
|
||||||
|
```
|
||||||
|
|
||||||
|
If that works, you can echo the debug message while becoming root.
|
||||||
|
Just add the `-J` flag so it will ask for the password:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ansible -i "${yaml_hosts}" -m debug -a "msg='{{ ${cowvar} }}'" $HOSTNAME --become -J
|
||||||
|
ansible -i "${yaml_hosts}" -m debug -a "msg={{ ansible_sudo_pass }}" $HOSTNAME --become -J
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you can update using Ansible.
|
||||||
|
|
||||||
|
For Arch Linux:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ansible -i "${yaml_hosts}" -m community.general.pacman -a 'upgrade=true update_cache=true' $HOSTNAME --become -J
|
||||||
|
```
|
||||||
|
|
||||||
|
For Debian:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ansible -i "${yaml_hosts}" -m ansible.builtin.apt -a 'upgrade=full' $HOSTNAME --become -J
|
||||||
|
```
|
||||||
|
|
||||||
Reference in New Issue
Block a user