Where are the secrets?

[samegens]

Hi @geerlingguy!

Love that you share your personal setup with the community, thanks! I want to do the same, but secrets are holding me back. I need to install private SSH-keys for example. And of course they are encrypted with ansible-vault and the vault password is not stored in the repo, but still it doesn't feel right to share encrypted secrets with the world. So how are you handling secrets on your dev Mac? Hope to learn from you!

Cheers,

Sebastiaan

[geerlingguy]

Please see Ansible's vault guide: https://docs.ansible.com/projects/ansible/latest/vault_guide/index.html

I'll either have a vault password file I pass in on the CLI, or configure that for some projects in my ansible.cfg file. For some larger systems, I integrate with Jenkins, GitHub Actions, or Ansible Automation Platform's built-in secrets/environment variable management so it can pass in the vault password or a path to the file at runtime.

[samegens]

Thanks for replying! I already know how Ansible Vault works and I'm using it for all my secrets. Sorry if my question was not clear. In my own (Linux) dev playbook I have ssh keys, passwords etc to properly set up accounts and connections to other servers. In your (this) repo I don't see any secrets. I was wondering whether you don't use any secrets or handle them differently, maybe a second private repo? (which is the solution I'm currently thinking about)

[geerlingguy]

Ah yes; for a few projects I include an encrypted vault file. But for this one I don't, I have the secrets backed up in an encrypted disk image that I sync to my computers with Dropbox. I have a little script that copies the secrets into my .ssh folder and other .config folders separately.

I figure I'd rather hold those things out of any public repo, in case something like quantum encryption cracking is a thing and the various ciphers used are deemed insecure.

[samegens]

Thanks for sharing!