autonomic-cooperative/dokku-ansible-playbook
Archived
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update README about vault setup

Browse Source
This commit is contained in:
Luke Murphy 2020-03-21 01:08:57 +01:00
parent 58535c1ccc
commit 83cf0538c0
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC
1 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
README.md
View File

@ -6,8 +6,8 @@ This plugin can be useful when you need to provision your server before or after
## Requirements ## Requirements
* dokku 0.19.13+ - dokku 0.19.13+
* Debian based system (uses `apt` package manager for installing dependencies) - Debian based system (uses `apt` package manager for installing dependencies)
## Installation ## Installation
@ -20,14 +20,38 @@ $ dokku plugin:install-dependencies
All files must be placed within the `ansible` folder of your git repository. All files must be placed within the `ansible` folder of your git repository.
* `requirements.yml`: what role dependencies to download before running your plays. - `requirements.yml`: what role dependencies to download before running your plays.
* `pre-deploy.yml`: play run before a deployment - `pre-deploy.yml`: play run before a deployment
* `post-deploy.yml`: play run after a deployment - `post-deploy.yml`: play run after a deployment
Notes: - Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook.
- Dokku will make sure that your Ansible plays are run on the right hook against the Dokku server localhost.
* Everything is copied into `$DOKKU_LIB_ROOT/data/ansible/$APP` on the `post-extract` hook. ## Passwords
* Dokku will make sure that your Ansible plays are run on the right hook against the Dokku server localhost.
You can place a `ansible/.vault.sh` script (don't forget to `chmod +x` it) that looks like this:
```bash
#!/bin/bash
set -eu -o pipefail
echo "my-cool-vault-password"
```
This file will be copied over to `$DOKKU_LIB_ROOT/data/ansible/$APP` and locked down with the correct read-only permissions for the Dokku user account. This will then be used as the [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) password file which can be used to decrypt secrets.
So, if you then encrypt a secret:
```bash
$ ansible-vault \
encrypt_string \
--vault-password-file ansible/.vault.sh \
--name mysecretname \
mysecretvalue
```
You can place this in your plays and it can be successfully decrypted on the host.
## Example ## Example
@ -45,9 +69,12 @@ Notes:
--- ---
- hosts: all - hosts: all
tasks: tasks:
- name: Create foobar group - name: Configure the foobar environment
group: dokku_config:
name: foobar app: foobar
system: true restart: false
state: present config:
FOO: BAR
become: true
become_user: dokku
``` ```