in a classical case of rubber duck debbuging, I found a possible answer
seconds after posting my message
- name: "Install client openvpn credentials"
copy:
src: "{{ inventory_dir+'/host_vars/'+inventory_hostname+'/openvpn.'+
item }}"
dest: "/etc/openvpn/{{ hostname }}.{{ item }}"
mode: 0755
with_items:
- crt
- key
tags:
- foo
I am still interested to know if this is a proper solution and if not what
is the idiomatic/recommended way to handle this case.
thanks
jean
On Wednesday, April 11, 2018 at 11:52:08 AM UTC+2, Jean Helou wrote:
>
> Hi,
>
> I am using ansible 2.5, I have gone through the best practices
> <http://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html>
>
> but I fail to understand how I am supposed to properly handle
> *host-specific* files.
>
> My exact use case is handling vpn certificates for computers embedded in
> cars. the vpn lets the cars talk to our internal servers.
> Each deployed car has it's own vpn certificate and key allowing for
> individual revocation. The .crt and the .key files really are host
> specific.
>
> Here is the tree I thought I could use :
> .
> ├── inventories
> │ ├── group_vars
> │ │ └── mygroup
> │ └── host_vars
> │ └── demo-box
> │ ├── demo-box.crt
> │ ├── demo-box.key
> │ └── demo-box.yml
> ├── playbook.yml
> ├── playbooks
> │ └── setup.yml
> └── roles
> └── linux
> └── openvpn
> ├── defaults
> │ └── main.yml
> ├── files
> ├── meta
> │ └── main.yml
> └── tasks
> └── main.yml
>
> Unfortunately I can't seem to get the copy plugin to properly resolve the
> .key and .crt files (the host vars are indeed processed)
>
> my initial naive attempt for the tasks/main.yml was
>
> - name: "Install client openvpn credentials"
> copy:
> src: "openvpn.{{item}}"
> dest: "/etc/openvpn/{{ hostname }}.{{ item }}"
> mode: 0755
> with_items:
> - crt
> - key
> tags:
> - foo
>
> When running ansible-playbook -i inventories/test.lst playbook.yml I get
> the follwing error
>
> AnsibleFileNotFound: Could not find or access 'openvpn.crt'
> Searched in:
> /home/ansible/ansible/roles/linux/openvpn/files/openvpn.crt
> /home/ansible/ansible/roles/linux/openvpn/openvpn.crt
> /home/ansible/ansible/roles/linux/openvpn/tasks/files/openvpn.crt
> /home/ansible/ansible/roles/linux/openvpn/tasks/openvpn.crt
> /home/ansible/ansible/playbooks/files/openvpn.crt
> /home/ansible/ansible/playbooks/openvpn.crt
>
> So it seems that unlike vars, default file lookup doesn't look into
> inventory_dir at all. and also that using a top level file directory like
> in
> https://stackoverflow.com/questions/32830428/where-should-i-be-organizing-host-specific-files-templates?lq=1
>
> in not going to work. Adding playbook_vars_root = all to ansible.cfg
> doesn't help either as it seem to only apply to vars.
>
> Based on
> https://www.reddit.com/r/ansible/comments/29mnp3/where_to_store_perhost_config_files/,
>
> I tried using lookup like so
>
> - name: "Install client openvpn credentials"
> src: "{{ lookup('file', inventory_dir + '/host_vars/' +
> inventory_hostname + '/openvpn.'+ item ) }}"
> dest: "/etc/openvpn/{{ hostname }}.{{ item }}"
> mode: 0755
> with_items:
> - crt
> - key
>
> but that doesn't seem to be valid anymore in 2.5 (I get an error about
> quotes but can't spot a quoting error) and this syntax is totally absent
> from 2.5 documentation.
>
> What is the "official" recommendation for this use case ?
> I guess I could create 2 string vars for the key and crt files and use
> ansible-vault encrypt-string instead of encrypt to secure the key. This is
> a relatively painful process (as opposed to simply copying the files over
> to the proper host folder) and we have tens of systems to retrofit into
> ansible. I was hoping there would be a better solution for host-specfic
> credential files.
>
> thanks
> jean
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2eae2c06-1520-4054-80e8-2bd322949b36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
