## Installing and running

Prior to following the steps below you need to set up the ssh agent to work with the gpg key from your yubikey and also the `pass` password store.

1. Install the required packages with `install-requirements.sh`
2. Run the playbook `run-playbook.sh`
   - The script automatically fetches the required passwords from the password store

The playbook requires the user `ansible` to be present on the target systems with the yubikey ssh key as authorized key and member of the sudoers group.

The required password to be set on the ansible user can be found in `pass wholteza/network/lilleback/ansible/ansible`.

While running fetched passwords will be placed in the `.temp` directory. Any script that creates that directory must delete it afterwards.

## Making changes to the vault

The vault encryption is managed by `ansible-vault` + passwords from `pass`.

Use `./decrypt-vault.sh` and `./encrypt-vault.sh` to make the file into clear text and the other way around.

There is a pre-commit git hook that will prevent you from committing if the file is clear text.

Be careful because even if you have a non-encrypted version of the vault staged and the unstaged file is encrypted you will be able to commit atm.

## Generating passwords for the vault file

1. Use `generate-password.sh` to generate a hash of your password.