I would like clarification about the new variables in the vault.yml files.
password: a_password_defined_by_me
salt: "generateme"
The password:
can be whatever I choose, correct?
And the salt:
can be whatever, as well OR is this the same string from vault_sudoer_passwords:
(i.e. $6$rounds=100000$Y/qLcJ…) OR do I generate somewhere or ???
Thanks in advance!
3 Likes
Password can be whatever.
Salt can be whatever, so long as you have the update from roots/trellis#629
You may generate the salt any way you wish. However, only the first 16 chars will be used and any characters not in the regexp range [./a-zA-Z0-9]
will be replaced with x
. For discussion and details, see roots/trellis#628 and roots/trellis#629
3 Likes
Can we still use encrypted password into the vault_users ? I will like to keep my password secret for all the other developers that work on the projet.
Thanks
@alexandcote
Recommended
I’d recommend trying for a solution that leaves the raw password in vault_users
. The intention is that you use Ansible Vault to encrypt your vault.yml
files so no one can see the password. I suppose you’d have to keep the vault password secret from the other developers you’ve mentioned, either by some kind of restrictive permissions on your .vault_pass
file or by avoiding any such file and just using --ask-vault-pass
.
Discouraged
(untested)
If you prefer to list a crypted password in vault_users
instead of the current setup of listing a plain text password, you could modify Trellis core (modifying core is reason this is “discouraged”):
Step 1. List your crypted password in place of the plain text password (and drop the salt
, or leave it to be ignored), e.g.
vault_users:
- name: "{{ admin_user }}"
password: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/
Step 2. Remove the password_hash
filter from the password
definition in the users
role. The password
parameter should be a crypted value. If you’re changing to doing your hashing manually, then you no longer need the password_hash
filter:
- name: Setup users
user:
name: "{{ item.name }}"
group: "{{ item.groups[0] }}"
groups: "{{ item.groups | join(',') }}"
- password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}'
+ password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% else %}{{ None }}{% endfor %}'
state: present
shell: /bin/bash
update_password: always
with_items: "{{ users }}"
1 Like