From 54f42f5948fa7837b5444109e65948b24e9aa81a Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Wed, 14 Mar 2018 12:04:11 +0800
Subject: vars: use ansible vault

Credit: https://docs.ansible.com/ansible/latest/playbooks_best_practices.html#best-practices-for-variables-and-vaults
---
 ansible.cfg              |  5 +++++
 group_vars/all           |  5 -----
 group_vars/all/vars.yml  | 10 ++++++++++
 group_vars/all/vault.yml |  8 ++++++++
 host_vars/vultr          |  2 +-
 5 files changed, 24 insertions(+), 6 deletions(-)
 delete mode 100644 group_vars/all
 create mode 100644 group_vars/all/vars.yml
 create mode 100644 group_vars/all/vault.yml

diff --git a/ansible.cfg b/ansible.cfg
index 38640db..1c0e15d 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -14,6 +14,11 @@ timeout = 30
 # uncomment this to disable SSH key host checking
 #host_key_checking = False
 
+# If set, configures the path to the Vault password file as an alternative
+# to specifying --vault-password-file on the command line.
+# e.g., dd if=/dev/random count=1 bs=32 | openssl base64
+vault_password_file = ./private/vault_pass
+
 # don't like cows?  that's unfortunate.
 # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
 #nocows = 1
diff --git a/group_vars/all b/group_vars/all
deleted file mode 100644
index 1fdd04a..0000000
--- a/group_vars/all
+++ /dev/null
@@ -1,5 +0,0 @@
----
-deploy_user: ansible
-ansible_ssh_private_key_file: private/ssh/ansible.key
-
-# vim: set ft=yaml sw=2: #
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
new file mode 100644
index 0000000..c8834f2
--- /dev/null
+++ b/group_vars/all/vars.yml
@@ -0,0 +1,10 @@
+---
+# NOTE:
+# Ansible Best Practices - Variables and Vaults
+# https://docs.ansible.com/ansible/latest/playbooks_best_practices.html#best-practices-for-variables-and-vaults
+
+
+deploy_user: ansible
+ansible_ssh_private_key_file: ./private/ssh/ansible.key
+
+# vim: set ft=yaml sw=2: #
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
new file mode 100644
index 0000000..47aceae
--- /dev/null
+++ b/group_vars/all/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+36633265653732353166323733663635323362663563656236303463313731336436633363386631
+3031383935653637646134303162333431303266646433370a303133376536393261616239396464
+61306630333230303335383437643737633739306366653464623835646436616330396265316364
+6637663238323666320a383566646464633961323363616132326266343162646364623839616164
+33343763613535336464373361633862613032663738373534656162306232666161663666643832
+63396262336566303332643832373339353334656461373536383630393437313737343466393037
+373635323561386564336534623134663832
diff --git a/host_vars/vultr b/host_vars/vultr
index 914a4d5..d123d1e 100644
--- a/host_vars/vultr
+++ b/host_vars/vultr
@@ -115,7 +115,7 @@ mail:
 
 shadowsocks:
   port: 8989
-  password: "???"
+  password: "{{ vault_shadowsocks_password }}"
   method: "chacha20-ietf-poly1305"
 
 vpn:
-- 
cgit v1.2.2