28 lines
1.3 KiB
Markdown
28 lines
1.3 KiB
Markdown
## Installing and running
|
|
|
|
Prior to following the steps below you need to set up the ssh agent to work with the gpg key from your yubikey and also the `pass` password store.
|
|
|
|
1. Install the required packages with `install-requirements.sh`
|
|
2. Run the playbook `run-playbook.sh`
|
|
- The script automatically fetches the required passwords from the password store
|
|
|
|
The playbook requires the user `ansible` to be present on the target systems with the yubikey ssh key as authorized key and member of the sudoers group.
|
|
|
|
The required password to be set on the ansible user can be found in `pass wholteza/network/lilleback/ansible/ansible`.
|
|
|
|
While running fetched passwords will be placed in the `.temp` directory. Any script that creates that directory must delete it afterwards.
|
|
|
|
## Making changes to the vault
|
|
|
|
The vault encryption is managed by `ansible-vault` + passwords from `pass`.
|
|
|
|
Use `./decrypt-vault.sh` and `./encrypt-vault.sh` to make the file into clear text and the other way around.
|
|
|
|
There is a pre-commit git hook that will prevent you from committing if the file is clear text.
|
|
|
|
Be careful because even if you have a non-encrypted version of the vault staged and the unstaged file is encrypted you will be able to commit atm.
|
|
|
|
## Generating passwords for the vault file
|
|
|
|
1. Use `generate-password.sh` to generate a hash of your password.
|