52 lines
2.0 KiB
YAML
52 lines
2.0 KiB
YAML
---
|
|
- hosts: localhost
|
|
gather_facts: false
|
|
vars:
|
|
# перечисли файлы/глобы, которые нужно временно расшифровать
|
|
vault_targets:
|
|
- /ansible/vault/secrets.yml
|
|
# добавляй сюда свои пути (host_vars/*/vault.yml, group_vars/*/vault.yml, и т.п.)
|
|
|
|
tasks:
|
|
- name: Install collections
|
|
community.docker.docker_container_exec:
|
|
container: ansible-controller
|
|
command: bash -lc "ansible-galaxy collection install -r /ansible/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"
|
|
|
|
- name: Decrypt vault targets (best-effort)
|
|
community.docker.docker_container_exec:
|
|
container: ansible-controller
|
|
command: >
|
|
bash -lc '
|
|
set -euo pipefail;
|
|
for p in {{ vault_targets | map('quote') | join(' ') }}; do
|
|
if [ -e "$p" ]; then
|
|
echo "[vault] decrypt $p";
|
|
ansible-vault decrypt --vault-password-file /ansible/vault-password.txt "$p" || true;
|
|
fi
|
|
done
|
|
'
|
|
|
|
- name: Run external playbook (your lab play)
|
|
community.docker.docker_container_exec:
|
|
container: ansible-controller
|
|
command: >
|
|
bash -lc "
|
|
ANSIBLE_ROLES_PATH=/ansible/roles
|
|
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /ansible/molecule/default/site.yml
|
|
"
|
|
|
|
- name: Re-encrypt vault targets (always)
|
|
community.docker.docker_container_exec:
|
|
container: ansible-controller
|
|
command: >
|
|
bash -lc '
|
|
set -euo pipefail;
|
|
for p in {{ vault_targets | map('quote') | join(' ') }}; do
|
|
if [ -e "$p" ]; then
|
|
echo "[vault] encrypt $p";
|
|
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault-password.txt "$p" || true;
|
|
fi
|
|
done
|
|
'
|
|
ignore_errors: true |