TIL Securing Your Ansible Vault
Credit for this little trick goes to Ironic Badger’s Ansible github repository. Which he has stolen from someone else!
When setting up your Ansible playbooks you can include this script in the top directory and run it from the terminal to add this pre-commit hook. This will check to see if your vault is encrypted before committing to source control. Make sure you set the correct path for your vault!
#!/bin/bash # sets up a pre-commit hook to ensure that vault.yaml is encrypted # # credit goes to nick busey from homelabos for this neat little trick # https://gitlab.com/NickBusey/HomelabOS/-/issues/355 if [ -d .git/ ]; then rm .git/hooks/pre-commit cat <<EOT >> .git/hooks/pre-commit if ( git show :vars/vault.yaml | grep -q "\$ANSIBLE_VAULT;" ); then echo "Vault Encrypted. Safe to commit." else echo "Vault not encrypted! Run 'make encrypt' and try again." exit 1 fi EOT fi chmod +x .git/hooks/pre-commit
Use a makefile for easily running your Ansible playbook from the command line without typing in your password. Use the entry below and create a file with your vault password in
remote: ansible-playbook ansible/playbook.remote.yml --vault-password-file .vault-password