Describe new vault approach

2020-03-21 23:20:52 +01:00 · 2020-03-21 23:20:52 +01:00 · 642c17e917
commit 642c17e917
parent b9e031be7d
1 changed files with 22 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -18,7 +18,7 @@ $ dokku plugin:install-dependencies

 ## Usage

-All files must be placed within the `ansible` folder of your git repository. Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook. Dokku will make sure that your Ansible plays are run on the right hook against the Dokku server localhost.
+All files must be placed within the `ansible` folder of your git repository. Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook. Dokku will make sure that your Ansible plays are run on various hooks against the Dokku server localhost.

 - `requirements.yml`: what role dependencies to download before running your plays.
 - `pre-deploy.yml`: play run before a deployment
@ -27,21 +27,15 @@ All files must be placed within the `ansible` folder of your git repository. Eve

 ## Passwords

-You can place a `ansible/.vault.sh` script that produces your [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html password. This file will be copied over to `$DOKKU_LIB_ROOT/data/ansible/$APP` and locked down with the correct read-only permissions for the Dokku user account. This will then be used as the [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password file which can be used to decrypt secrets.
+Ansible uses the [vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password file which can be used to decrypt secrets.

-Don't forget to `chmod +x` it and also **add this file to your `.gitignore`**, you've been warned!
-
-Here's an example `ansible/.vault.sh` file.
+To get started with enabling this, you should generate a vault password for your self and run the following on your Dokku host.

 ```bash
-#!/bin/bash
-
-set -eu -o pipefail
-
-echo "my-cool-vault-password"
+$ dokku ansible-playbook:add-vault-password
 ```

-So, if you then encrypt a secret:
+Then you can start to encrypt your passwords on your local machine with the following.

 ```bash
 $ ansible-vault \
@ -51,11 +45,26 @@ $ ansible-vault \
  mysecretvalue
 ```

-You can place this output in your plays and it can be successfully decrypted on the remote Dokku host.
+Where `ansible/.vault.sh` might look like this.
+
+```bash
+#!/bin/bash
+
+set -eu -o pipefail
+
+echo "my-cool-vault-password"
+```
+
+Then for example, if you want to pass a sudo password, you might include a `vars.yml`.
+
+```yaml
+---
+ansible_become_password: !vault ...
+```

 ## Permissions

-Since the `dokku` user account runs the plays on the host, you will need to deal with sudo permissions when you want to use `become: true` to run a privilege escalation to the root account. In order to do this, you'll need to 1) run `passwd dokku` as the root user and set an account password and 2) add the `dokku` user account to the sudoers group (`usermod -aG sudo dokku`).
+Since the `dokku` user account runs the plays on the host, you will need to deal with sudo permissions when you want to use `become: true` to run a privilege escalation to the root account. You can give your `dokku` user account passwordless sudo access but that would give a lot of power to people who can get access to that user account. A solution to this can be to add your `dokku` to the sudoers group, give the account a password (`passwd dokku && usermod -aG sudo dokku`) and pass `ansible_become_password` in as a variable.

 ## Example