This page covers Ansible management.

Every commands have to be done from the root directory of your local copy of the git repository.

  1. Prerequisites
  2. Run the whole ansible playbook
  3. Run without actually doing anything, just report what would have been done
  4. Add a public key for machines to be backed-up or for admins to recover backups
  5. Encrypt single vars
  6. Add keys able to open the vault

Prerequisites

You will need ansible, ansible-lint, git, and our ansible git repo.

  • Get the repo:
    • $ git clone ssh://skwotcustom:./repos/ansible.git
      • A backup is available at https://0xacab.org/squatnet/ansible
    • See SSH to configure your SSH client

Run the whole ansible playbook

$ ansible-playbook site.yml

Run without actually doing anything, just report what would have been done

$ ansible-playbook --check --diff site.yml

--check has to be the first argument to be taken into account.

You can omit --diff if there is always=yes in the [diff] section of ansible.cfg

Add a public key for machines to be backed-up or for admins to recover backups

In the git repo:

  • Add a file in roles/backup_server/files/ containing the pubkey
  • Add a block in roles/backup_server/vars/main.yml in the authorized_users category:
    • - host: <hostname of the client> key_file: <name of the file added before containing the pubkey>
  • Check your changes (ansible-playbook --check --diff, as shown above)
  • Apply changes
  • Commit and push the git repo

Encrypt single vars

$ ansible-vault encrypt_string

If the vault in the repo is configured to use OpenPGP, Ansible will ask for your OpenPGP passphrase, using your default pinentry program.

Then it will ask you in the terminal to enter the value of the variable you want to encrypt. Type it, press Enter, then ctrl+D, the encrypted value will be printed, such as:

!vault |
      $ANSIBLE_VAULT;1.1;AES256
      37316532646363663934373738306437383731313031303739303837386561383234376664386565
      3039376637306137303663653539373666366539366166640a363934366565363463653161363865
      64386663313438343831623666363337663531656462663539343337336565646230643830636636
      6166656161396632390a616435663532353065353334323536316337653364353234383234396161
      3035

Use this whole bloc as value for any var definition.

Add keys able to open the vault

We use the vault function of ansible to encrypt secret vars. The vault function needs a passphrase. This passphrase has been randomly generated once, and we encrypt it using GnuPG, so one must encrypt the vault using all s!n members' keys.

Replace all KEYID* with actual key ids $ gpg --batch --quiet --decrypt vault/vault-passphrase | \ gpg --batch --quiet --armor --encrypt -r KEYID1 -r KEYID2 [ -r KEYID3 …] > vault/vault-passphrase

Afterwards, please make sure the new vault-passphrase file is encrypted with everyone's key! (you can use gpg --list-packets to do so)