I find a need to maintain a set of of passwords which either should be encrypted or alternatively never checked into the project repository.
This is a variant of the earlier topic discussed at https://groups.google.com/d/topic/ansible-project/jAX8N3RMr-I/discussion ie. “Secret variables / data : encryption” which has already discussed the encryption issue and as far as I could understand no reasonable proposal has yet evolved to go forward.
I usually maintain separate files for sensitive variables (passwords etc.) which should not get checked into the version control repository. A convention I adopt is that any file or directory that begins with an underscore is never checked into the repo. Thats the convention I will use for this mail, though one could think of alternative conventions eg. files ending with “.private” etc.
Could we have a scenario where ansible looks up the files "" + hosts_file_name, group_vars/, host_vars/_ (alternatively _group_vars/, _host_vars/) as well ? These files can be used to store sensitive variables and will not get checked into the version control repository ?
I would be happy to contribute towards such a development, create and offer a pull request if this approach seems reasonable.
Note: These files could contain encrypted instead of plain-text variables as well as discussed in the earlier post I referred to, but thats a separate feature, so do not intend to conflate them here.
Regards,
Dhananjay