autonomic-cooperative
/
dokku-ansible-playbook
Archived
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Describe new vault approach

This commit is contained in:
Luke Murphy 2020-03-21 23:20:52 +01:00
parent b9e031be7d
commit 642c17e917
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC
1 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@ -18,7 +18,7 @@ $ dokku plugin:install-dependencies
## Usage
All files must be placed within the `ansible` folder of your git repository. Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook. Dokku will make sure that your Ansible plays are run on the right hook against the Dokku server localhost.
All files must be placed within the `ansible` folder of your git repository. Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook. Dokku will make sure that your Ansible plays are run on various hooks against the Dokku server localhost.
- `requirements.yml`: what role dependencies to download before running your plays.
- `pre-deploy.yml`: play run before a deployment
@ -27,21 +27,15 @@ All files must be placed within the `ansible` folder of your git repository. Eve
## Passwords
You can place a `ansible/.vault.sh` script that produces your [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html password. This file will be copied over to `$DOKKU_LIB_ROOT/data/ansible/$APP` and locked down with the correct read-only permissions for the Dokku user account. This will then be used as the [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password file which can be used to decrypt secrets.
Ansible uses the [vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password file which can be used to decrypt secrets.
Don't forget to `chmod +x` it and also **add this file to your `.gitignore`**, you've been warned!
Here's an example `ansible/.vault.sh` file.
To get started with enabling this, you should generate a vault password for your self and run the following on your Dokku host.
```bash
#!/bin/bash
set -eu -o pipefail
echo "my-cool-vault-password"
$ dokku ansible-playbook:add-vault-password
```
So, if you then encrypt a secret:
Then you can start to encrypt your passwords on your local machine with the following.
```bash
$ ansible-vault \
@ -51,11 +45,26 @@ $ ansible-vault \
mysecretvalue
```
You can place this output in your plays and it can be successfully decrypted on the remote Dokku host.
Where `ansible/.vault.sh` might look like this.
```bash
#!/bin/bash
set -eu -o pipefail
echo "my-cool-vault-password"
```
Then for example, if you want to pass a sudo password, you might include a `vars.yml`.
```yaml
---
ansible_become_password: !vault ...
```
## Permissions
Since the `dokku` user account runs the plays on the host, you will need to deal with sudo permissions when you want to use `become: true` to run a privilege escalation to the root account. In order to do this, you'll need to 1) run `passwd dokku` as the root user and set an account password and 2) add the `dokku` user account to the sudoers group (`usermod -aG sudo dokku`).
Since the `dokku` user account runs the plays on the host, you will need to deal with sudo permissions when you want to use `become: true` to run a privilege escalation to the root account. You can give your `dokku` user account passwordless sudo access but that would give a lot of power to people who can get access to that user account. A solution to this can be to add your `dokku` to the sudoers group, give the account a password (`passwd dokku && usermod -aG sudo dokku`) and pass `ansible_become_password` in as a variable.
## Example