Dear All,
At the moment we are encrypting all of our host vars with git-crypt as a few contain secret information.
This is a pain as only a few people need the encrypted parts of the few encrypted files but it means all people who use ansible etc have to have git-crypt set up & working etc.etc.
So I would like to find out some way in which just the values which need to be encrypted can be pulled out into separate files & encrypted.
I see from:
http://docs.ansible.com/intro_inventory.html
That a host/group var file can be replaced with a folder & then
“As an advanced use-case, you can create directories named after your groups or hosts, and Ansible will read all the files in these directories”
Such that I could have a file called notsecret & another called secret.key & tell git-crypt just to encrypt “*.key” files.
That way people using instances/roles etc with no secret info could still use host/group vars w/o gitcrypt
At the moment this seems like the best plan…but any other suggestions would be welcome.
For example can a hostvar file perform an inclusion along the lines of including something akin to
vars_files:
- [ ‘files/vars/{{ inventory_host }}.yml’,‘files/vars/default.yml’ ]
?
TIA
Adam