# Ansible MicroOS VM setup ## Description (Vaulted) Variables for accessing the host with specific credentials are stored in the host_vars, they are handled as specific for how each user accesses a specific host. (Vaulted) Variables for the services are stored in the group_vars, they are shared between all administrators of the host. Vaults can be automatically decrypted using a GPG key (best using a connected Yubikey). ## Requirements Create vars and vault file for accessing the host following this structure. Adjust the username, become method and password. `inventories/production/host_vars/io/vars.yml`: ```yaml --- ansible_user: tobias ansible_become_method: sudo ``` `inventories/production/host_vars/io/vault.yml`: (create through `ansible-vault create vault.yml` with a strong password) ```yaml --- ansible_become_pass: EXAMPLE ``` ## Automatic vault decryption setup Vaults can have a Vault ID, which is specified in the vault file. Just change the starting line in the file `$ANSIBLE_VAULT;1.2;AES256` to `$ANSIBLE_VAULT;1.2;AES256;podman_hosts`. Assumption: The GPG key ID intended for use is D5AF83DDD5F8523A. Create an encrypted GPG file called `vault-passwords.gpg` for the GPG key you will be using with content like this: ```text VAULT_ID1 vault_password1 VAULT_ID2 vault_password2 ``` This can be created ad-hoc using either fish or bash. Fish supports a command called `psub` which can be used to pipe the output of a command into a file securely. Bash can be used with a cat heredoc. ### fish ```fish gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg (psub) ``` Then in the psub editor, enter the content: ```text VAULT_ID1 vault_password1 VAULT_ID2 vault_password2 ``` ### bash ```bash gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg <