Clarify vault.yml -- vault_users - > salt: "generateme"

I would like clarification about the new variables in the vault.yml files.

password: a_password_defined_by_me
salt: "generateme"

The password: can be whatever I choose, correct?

And the salt: can be whatever, as well OR is this the same string from vault_sudoer_passwords: (i.e. $6$rounds=100000$Y/qLcJ…) OR do I generate somewhere or ???

Thanks in advance!


Password can be whatever.

Salt can be whatever, so long as you have the update from roots/trellis#629

You may generate the salt any way you wish. However, only the first 16 chars will be used and any characters not in the regexp range [./a-zA-Z0-9] will be replaced with x. For discussion and details, see roots/trellis#628 and roots/trellis#629


Thank you! :sunglasses:

Can we still use encrypted password into the vault_users ? I will like to keep my password secret for all the other developers that work on the projet.




I’d recommend trying for a solution that leaves the raw password in vault_users. The intention is that you use Ansible Vault to encrypt your vault.yml files so no one can see the password. I suppose you’d have to keep the vault password secret from the other developers you’ve mentioned, either by some kind of restrictive permissions on your .vault_pass file or by avoiding any such file and just using --ask-vault-pass.


If you prefer to list a crypted password in vault_users instead of the current setup of listing a plain text password, you could modify Trellis core (modifying core is reason this is “discouraged”):

Step 1. List your crypted password in place of the plain text password (and drop the salt, or leave it to be ignored), e.g.

  - name: "{{ admin_user }}"
    password: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/

Step 2. Remove the password_hash filter from the password definition in the users role. The password parameter should be a crypted value. If you’re changing to doing your hashing manually, then you no longer need the password_hash filter:

  - name: Setup users
      name: "{{ }}"
      group: "{{ item.groups[0] }}"
      groups: "{{ item.groups | join(',') }}"
-     password: '{% for user in vault_users | default([]) if == and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}'
+     password: '{% for user in vault_users | default([]) if == and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% else %}{{ None }}{% endfor %}'
      state: present
      shell: /bin/bash
      update_password: always
    with_items: "{{ users }}"
1 Like