TIL Securing Your Ansible Vault

Credit for this little trick goes to Ironic Badger’s Ansible github repository. Which he has stolen from someone else!

When setting up your Ansible playbooks you can include this script in the top directory and run it from the terminal to add this pre-commit hook. This will check to see if your vault is encrypted before committing to source control. Make sure you set the correct path for your vault!

#!/bin/bash
# sets up a pre-commit hook to ensure that vault.yaml is encrypted
#
# credit goes to nick busey from homelabos for this neat little trick
# https://gitlab.com/NickBusey/HomelabOS/-/issues/355

if [ -d .git/ ]; then
rm .git/hooks/pre-commit
cat <<EOT >> .git/hooks/pre-commit
if ( git show :vars/vault.yaml | grep -q "\$ANSIBLE_VAULT;" ); then
echo "Vault Encrypted. Safe to commit."
else
echo "Vault not encrypted! Run 'make encrypt' and try again."
exit 1
fi
EOT

fi

chmod +x .git/hooks/pre-commit

Use a makefile for easily running your Ansible playbook from the command line without typing in your password. Use the entry below and create a file with your vault password in .value-password.

remote:
	ansible-playbook ansible/playbook.remote.yml --vault-password-file .vault-password