Hi,
I am using ansible 2.5, I have gone through the best practices
<http://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html>
but I fail to understand how I am supposed to properly handle
*host-specific* files.
My exact use case is handling vpn certificates for computers embedded in
cars. the vpn lets the cars talk to our internal servers.
Each deployed car has it's own vpn certificate and key allowing for
individual revocation. The .crt and the .key files really are host
specific.
Here is the tree I thought I could use :
.
├── inventories
│ ├── group_vars
│ │ └── mygroup
│ └── host_vars
│ └── demo-box
│ ├── demo-box.crt
│ ├── demo-box.key
│ └── demo-box.yml
├── playbook.yml
├── playbooks
│ └── setup.yml
└── roles
└── linux
└── openvpn
├── defaults
│ └── main.yml
├── files
├── meta
│ └── main.yml
└── tasks
└── main.yml
Unfortunately I can't seem to get the copy plugin to properly resolve the
.key and .crt files (the host vars are indeed processed)
my initial naive attempt for the tasks/main.yml was
- name: "Install client openvpn credentials"
copy:
src: "openvpn.{{item}}"
dest: "/etc/openvpn/{{ hostname }}.{{ item }}"
mode: 0755
with_items:
- crt
- key
tags:
- foo
When running ansible-playbook -i inventories/test.lst playbook.yml I get
the follwing error
AnsibleFileNotFound: Could not find or access 'openvpn.crt'
Searched in:
/home/ansible/ansible/roles/linux/openvpn/files/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/tasks/files/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/tasks/openvpn.crt
/home/ansible/ansible/playbooks/files/openvpn.crt
/home/ansible/ansible/playbooks/openvpn.crt
So it seems that unlike vars, default file lookup doesn't look into
inventory_dir at all. and also that using a top level file directory like
in
https://stackoverflow.com/questions/32830428/where-should-i-be-organizing-host-specific-files-templates?lq=1
in not going to work. Adding playbook_vars_root = all to ansible.cfg
doesn't help either as it seem to only apply to vars.
Based on
https://www.reddit.com/r/ansible/comments/29mnp3/where_to_store_perhost_config_files/,
I tried using lookup like so
- name: "Install client openvpn credentials"
src: "{{ lookup('file', inventory_dir + '/host_vars/' +
inventory_hostname + '/openvpn.'+ item ) }}"
dest: "/etc/openvpn/{{ hostname }}.{{ item }}"
mode: 0755
with_items:
- crt
- key
but that doesn't seem to be valid anymore in 2.5 (I get an error about
quotes but can't spot a quoting error) and this syntax is totally absent
from 2.5 documentation.
What is the "official" recommendation for this use case ?
I guess I could create 2 string vars for the key and crt files and use
ansible-vault encrypt-string instead of encrypt to secure the key. This is
a relatively painful process (as opposed to simply copying the files over
to the proper host folder) and we have tens of systems to retrofit into
ansible. I was hoping there would be a better solution for host-specfic
credential files.
thanks
jean
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5c975118-37a4-42d4-aff6-e3fb9bc10852%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
