Installing and running

Prior to following the steps below you need to set up the ssh agent to work with the gpg key from your yubikey and also the pass password store.

1. Install the required packages with install-requirements.sh
2. Run the playbook run-playbook.sh
   • The script automatically fetches the required passwords from the password store

The playbook requires the user ansible to be present on the target systems with the yubikey ssh key as authorized key and member of the sudoers group.

The required password to be set on the ansible user can be found in pass wholteza/network/lilleback/ansible/ansible.

While running fetched passwords will be placed in the .temp directory. Any script that creates that directory must delete it afterwards.

Making changes to the vault

The vault encryption is managed by ansible-vault + passwords from pass.

Use ./decrypt-vault.sh and ./encrypt-vault.sh to make the file into clear text and the other way around.

There is a pre-commit git hook that will prevent you from committing if the file is clear text.

Be careful because even if you have a non-encrypted version of the vault staged and the unstaged file is encrypted you will be able to commit atm.

Generating passwords for the vault file

1. Use generate-password.sh to generate a hash of your password.