{"id":19647867,"url":"https://github.com/nl2go/ansible-warrior","last_synced_at":"2025-02-27T00:32:59.639Z","repository":{"id":101457772,"uuid":"223194044","full_name":"nl2go/ansible-warrior","owner":"nl2go","description":"Ansible tutorial setting up SSH Key authentication and secret encryption","archived":false,"fork":false,"pushed_at":"2020-09-08T08:15:26.000Z","size":66,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-09T22:24:38.194Z","etag":null,"topics":["ansible","ssh","ssh-agent","vault"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nl2go.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-21T14:34:23.000Z","updated_at":"2024-04-05T14:31:54.000Z","dependencies_parsed_at":null,"dependency_job_id":"c1699f05-f3d4-488e-b6d7-23ccc306264e","html_url":"https://github.com/nl2go/ansible-warrior","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nl2go%2Fansible-warrior","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nl2go%2Fansible-warrior/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nl2go%2Fansible-warrior/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nl2go%2Fansible-warrior/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nl2go","download_url":"https://codeload.github.com/nl2go/ansible-warrior/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240957120,"owners_count":19884673,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ssh","ssh-agent","vault"],"created_at":"2024-11-11T14:46:16.316Z","updated_at":"2025-02-27T00:32:59.613Z","avatar_url":"https://github.com/nl2go.png","language":"Dockerfile","readme":"# Ansible Warrior\n\nA tutorial that helps to get to know important [Ansible](https://www.ansible.com/) features around\nSSH Key authentication, secret encryption and [Ansible Galaxy](https://galaxy.ansible.com/) role management required\nfor any mature Ansible project.\n\nThis project relies on [nl2go/docker-ansible](https://github.com/nl2go/docker-ansible) providing a [Docker](https://www.docker.com/)\nimage for Ansible with additional convenience features.\n\n## Prerequisites\n\nBefore getting started, following packages must be installed.\n\n- [Git](https://git-scm.com/downloads)\n- [Docker](https://docs.docker.com/v17.09/engine/installation/) `\u003e= 17.x`\n- [Docker Compose](https://docs.docker.com/compose/install/) `\u003e= 2.x`\n\n## Preparations\n\n1. Clone this project to the directory of your choice.\n\n $ git clone https://github.com/nl2go/ansible-warrior.git\n $ cd ansible-warrior\n\n## Setup\n\nThe tutorial solely involves interactions within the host machine. The setup\nconsists of two Docker containers:\n- `ansible` - the Ansible Controller\n- `node` - a node to be controlled by Ansible\n\nSee [docker-compose.yml](docker-compose.yml) for further details.\n\n![Setup Overview](./docs/dist/setup-overview.png \"Setup Overview\")\n\n## Scenarios\n\nUsing Ansible inside a container gets rid of very annoying issues that might appear when running it directly on the host\na.k.a the \"works on my machine\" issue set, which includes:\n\n - Missing dependencies\n - Deviating package versions\n - Local quirks of different host operating systems\n \nThose issues become even bigger when your team grows.\n\n### Key Based Authentication\nSSH key authentication is widely preferred over password authentication because it provides more flexibility and safety\nfor the user. Private keys are stored on the disk protected by a passphrase specified by the user to prevent unauthorized\naccess to the key content.\n\nThis scenario shows how to use the private key protected by a passphrase when running the Ansible container utilizing \nthe *ssh-agent* to prevent passphrase retyping.\n\n1. The test private key is located at `.docker/root/.ssh/id_rsa`.\n\n $ ls .docker/root/.ssh\n drwxr-xr-x 3 user user 4096 Aug 28 12:40 .\n drwxr-xr-x 3 user user 4096 Aug 28 12:36 ..\n -rw-r--r-- 1 user user 381 Aug 28 12:36 authorized_keys\n -rw-r--r-- 1 user user 1766 Aug 28 12:36 id_rsa\n \n1. Run Ansible container.\n\n $ docker-compose run ansible\n \n1. Specify test private key passphrase `Abcd1234`.\n\n ...\n Starting SSH Agent.\n Enter passphrase for /root/.ssh/id_rsa: \n\n1. Ensure test private key was added to the SSH agent.\n\n ...\n Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)\n ...\n \n1. Inspect `key_authentication` Ansible playbook.\n\n $ cat key_authentication.yml\n ---\n - hosts: node\n gather_facts: no\n tasks:\n - name: Test SSH connection using private/public key pair.\n ping:\n \n The playbook connects to the remote `node` host and executes the `ping` module, which performs basic\n connection and host sanity checks.\n \n1. Run `key_authentication` Ansible playbook.\n\n $ ansible-playbook -i inventories/dev/hosts.ini key_authentication.yml\n \n PLAY [node] ****************************************************\n \n TASK [Test SSH connection using private/public key pair.] ******************\n ok: [node]\n \n PLAY RECAP *****************************************************************\n node : ok=1 changed=0 unreachable=0 failed=0 \n\n1. Exit Ansible container.\n \n $ exit\n\n#### Recap\nYou have successfully run the playbook `key_authentication.yml` against `node` host using SSH key authentication.\n\n### Ansible Galaxy Role\n\nIn advanced Ansible projects it's not uncommon to rely on already existing roles created and shared by the community members\nas roles within [Ansible Galaxy](https://galaxy.ansible.com/).\n\nThis scenario shows how to handle the role dependency management.\n\n1. Inspect `galaxy_role.yml` to extract the required role dependencies.\n\n $ cat galaxy_role.yml \n ---\n - hosts: node\n become: true\n roles:\n - role: chusiang.helloworld\n\n The playbook `galaxy_role` relies on the Ansible Galaxy role `chusiang.helloworld`.\n To be able to execute the playbook the role must be installed first.\n\n1. Create `requirements.yml` within the `roles` directory as required by [Ansible Tower](https://www.ansible.com/products/tower).\n\n $ mkdir roles \u0026\u0026 touch roles/requirements.yml\n \n1. Add `chusiang.helloworld` role to the `roles/requirements.yml`.\n\n $ echo '- src: chusiang.helloworld' \u003e roles/requirements.yml\n\n1. Inspect the content of `roles/requirements.yml`.\n\n $ cat roles/requirements.yml\n - src: chusiang.helloworld\n \n The `requirements.yml` now contains the required role dependency that will be installed\n from the Ansible Galaxy.\n\n1. Run Ansible container.\n\n $ docker-compose run ansible\n Skipping SSH Agent start. No private key was found at /tmp/.ssh/id_rsa.\n Skpping Anisble Vault password decryption. No .vault-password files present.\n Installing Ansible Galaxy roles from /ansible/roles/requirements.yml.\n - downloading role 'helloworld', owned by chusiang\n - downloading role from https://github.com/chusiang/helloworld.ansible.role/archive/master.tar.gz\n - extracting chusiang.helloworld to /root/.ansible/roles/chusiang.helloworld\n - chusiang.helloworld (master) was installed successfully\n \n1. Run `galaxy_role.yml` playbook.\n\n $ ansible-playbook -i inventories/dev/hosts.ini galaxy_role.yml\n\n1. Exit Ansible container.\n \n $ exit\n \n1. Remove `roles/requirements.yml`.\n\n $ rm roles/requirements.yml\n\n#### Recap\nYou have successfully installed an Ansible Galaxy Role and run the `galaxy_role.yml` playbook.\n\n### Ansible Vault Master Password\n\nWorking with Ansible Vault passwords directly can be cumbersome since it's common to protect the secrets using at least one\ndedicated password per inventory or environment. Besides that the secret for a specific inventory/environment must be \nspecified on every playbook execution. This might reduce the productivity while working with Ansible.\n\nTo overcome this issues a personal master password for Ansible Vault inventory/environment password encryption can be\nused.\n\nThis scenario shows how to encrypt and persist the Ansible Vault inventory/environment password protected by a personal\nmaster password. \n\n1. Run Ansible container.\n\n $ docker-compose run ansible\n \n1. Generate encrypted vault password file for the `dev` inventory using master password `master` and the inventory Vault\npassword `Abcd1234`.\n\n $ cd inventories/dev\n $ ansible-encrypt-vault-password\n Enter the master password for .vault-password files:\n Enter the vault password for dev inventory:\n Created /ansible/inventories/dev/.vault-password.\n \n1. Inspect the content of the encrypted vault password file:\n\n $ cat .vault-password\n Salted__��iwC�Z���+'�|���;�� \n \n1. Exit Ansible container.\n \n $ exit\n\n1. Run Ansible container and specify the Vault master password `master`.\n\n $ docker-compose run ansible\n Skipping SSH Agent start. No private key was found at /tmp/.ssh/id_rsa.\n Decrypting Ansible Vault passwords.\n Enter decryption password for .vault-password files: \n Decrypting /ansible/inventories/dev/.vault-password.\n Skipping Ansible Galaxy roles installation. No /ansible/roles/requirements.yml file present.\n\n1. Run `vault_master_password` playbook.\n\n $ ansible-playbook -i inventories/dev/hosts.ini vault_master_password.yml\n \n PLAY [localhost] ***********************************************************\n \n TASK [Gathering Facts] *****************************************************\n ok: [localhost]\n \n TASK [debug] ***************************************************************\n ok: [localhost] =\u003e {\n \"msg\": \"foobar123\"\n }\n \n PLAY RECAP *****************************************************************\n localhost : ok=2 changed=0 unreachable=0 failed=0 \n\n1. Exit Ansible container.\n \n $ exit\n \n#### Recap\n\nYou have successfully run the `vault_master_password` playbook while decrypting the `secret_message` variable to `Hello World!`.\n\n### Ansible Vault Secret\n\nTo protect sensitive data it must be encrypted before sharing it with remote sources. In general any kind of passwords,\nsecrets or keys must be encrypted.\n\nThis scenario shows how to encrypt arbitrary values for particular inventories/environments. It relies on the existing\nencrypted Vault password file for the `dev` inventory located at `inventories/dev/.vault-password` from the previous\nscenario.\n\n1. Run Ansible container.\n\n $ docker-compose run ansible\n \n1. Run Ansible container and specify the Vault master password `master`.\n\n $ docker-compose run ansible\n Skipping SSH Agent start. No private key was found at /tmp/.ssh/id_rsa.\n Decrypting Ansible Vault passwords.\n Enter decryption password for .vault-password files: \n Decrypting /ansible/inventories/dev/.vault-password.\n Skipping Ansible Galaxy roles installation. No /ansible/roles/requirements.yml file present.\n \n1. Encrypt secret value `foobar123` for the `dev` inventory.\n\n $ ansible-vault encrypt_string --encrypt-vault-id 'dev' 'foobar123'\n !vault |\n $ANSIBLE_VAULT;1.2;AES256;dev\n 34313833626331373036336338663831333833356532306363336532306362376232653835613035\n 6131303730313238633938636564663866356164383735610a353133613363663239326337313231\n 64333737343634356531383864313031333134646264373035626363363865343037306436363462\n 3832363461623233620a383135343062643433613763656462623565346363303866376264643661\n 6236\n Encryption successful\n\n1. Replace the plain `bar` value within `inventories/dev/host_vars/localhost/foo.yml` with the encrypted\nvalue from the previous step and verify the result.\n\n $ cat inventories/dev/host_vars/localhost/foo.yml\n ---\n bar: !vault |\n $ANSIBLE_VAULT;1.2;AES256;dev\n 34313833626331373036336338663831333833356532306363336532306362376232653835613035\n 6131303730313238633938636564663866356164383735610a353133613363663239326337313231\n 64333737343634356531383864313031333134646264373035626363363865343037306436363462\n 3832363461623233620a383135343062643433613763656462623565346363303866376264643661\n 6236\n \n1. Run the `vault_secret` playbook.\n\n $ ansible-playbook -i inventories/dev/hosts.ini vault_secret.yml\n \n PLAY [localhost] ***********************************************************\n \n TASK [Gathering Facts] *****************************************************\n ok: [localhost]\n \n TASK [debug] ***************************************************************\n ok: [localhost] =\u003e {\n \"msg\": \"foobar123\"\n }\n \n PLAY RECAP *****************************************************************\n localhost : ok=2 changed=0 unreachable=0 failed=0 \n\n#### Recap\n\nYou have successfully encrypted an existing variable `bar` and executed the `vault_secret` playbook that\nutilizes the encrypted variable.\n\n## Maintainers\n\n- [build-failure](https://github.com/build-failure)\n\n## License\n\nSee the [LICENSE.md](LICENSE.md) file for details\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnl2go%2Fansible-warrior","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnl2go%2Fansible-warrior","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnl2go%2Fansible-warrior/lists"}