Hi,
I am using ansible 2.5, I have gone through the best practices but I fail to understand how I am supposed to properly handle host-specific files.
My exact use case is handling vpn certificates for computers embedded in cars. the vpn lets the cars talk to our internal servers.
Each deployed car has it’s own vpn certificate and key allowing for individual revocation. The .crt and the .key files really are host specific.
Here is the tree I thought I could use :
.
├── inventories
│ ├── group_vars
│ │ └── mygroup
│ └── host_vars
│ └── demo-box
│ ├── demo-box.crt
│ ├── demo-box.key
│ └── demo-box.yml
├── playbook.yml
├── playbooks
│ └── setup.yml
└── roles
└── linux
└── openvpn
├── defaults
│ └── main.yml
├── files
├── meta
│ └── main.yml
└── tasks
└── main.yml
Unfortunately I can’t seem to get the copy plugin to properly resolve the .key and .crt files (the host vars are indeed processed)
my initial naive attempt for the tasks/main.yml was
- name: “Install client openvpn credentials”
copy:
src: “openvpn.{{item}}”
dest: “/etc/openvpn/{{ hostname }}.{{ item }}”
mode: 0755
with_items: - crt
- key
tags: - foo
When running ansible-playbook -i inventories/test.lst playbook.yml I get the follwing error
AnsibleFileNotFound: Could not find or access ‘openvpn.crt’
Searched in:
/home/ansible/ansible/roles/linux/openvpn/files/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/tasks/files/openvpn.crt
/home/ansible/ansible/roles/linux/openvpn/tasks/openvpn.crt
/home/ansible/ansible/playbooks/files/openvpn.crt
/home/ansible/ansible/playbooks/openvpn.crt
So it seems that unlike vars, default file lookup doesn’t look into inventory_dir at all. and also that using a top level file directory like in https://stackoverflow.com/questions/32830428/where-should-i-be-organizing-host-specific-files-templates?lq=1 in not going to work. Adding playbook_vars_root = all to ansible.cfg doesn’t help either as it seem to only apply to vars.
Based on https://www.reddit.com/r/ansible/comments/29mnp3/where_to_store_perhost_config_files/, I tried using lookup like so
- name: “Install client openvpn credentials”
src: “{{ lookup(‘file’, inventory_dir + ‘/host_vars/’ + inventory_hostname + ‘/openvpn.’+ item ) }}”
dest: “/etc/openvpn/{{ hostname }}.{{ item }}”
mode: 0755
with_items: - crt
- key
but that doesn’t seem to be valid anymore in 2.5 (I get an error about quotes but can’t spot a quoting error) and this syntax is totally absent from 2.5 documentation.
What is the “official” recommendation for this use case ?
I guess I could create 2 string vars for the key and crt files and use ansible-vault encrypt-string instead of encrypt to secure the key. This is a relatively painful process (as opposed to simply copying the files over to the proper host folder) and we have tens of systems to retrofit into ansible. I was hoping there would be a better solution for host-specfic credential files.
thanks
jean