The default credentials (for Weblate, Discourse etc.) are only suitable for integration testing and must be overriden before deploying on publicly available hosts. The recommended way of doing this is to:

  • create a repository in ~/.enough/
  • for each files containing secrets i.e. {host,group}_vars/**/*.yml`) create a matching file in ~/.enough/
  • encrypt those files with ansible vault
  • share the password to decrypt the files with trusted administrators
  • push in a private repository

The encrypted secrets are kept in a private repository to not be publicly exposed to brute force attacks.


Manually create ~/.enough/ by copying clouds.yml.example and getting values from ~/ and check it works:

$ export OS_CLIENT_CONFIG_FILE=~/.enough/
$ openstack --os-cloud ovh server list
$ echo domain: | sudo tee ~/.enough/

Getting the production repository

$ git clone ~/.enough/
$ ansible-vault decrypt \
                --vault-password-file ~/.enough/ \


Creating new hosts


do not run the following from a git checkout. If run from sources, the test environment will be used instead of the production environment.

$ python -m enough.internal.cmd --domain host create some-host
$ python -m enough.internal.cmd --domain host inventory

It will set the IP address of the new host into ~/.enough/

    bind-host: {ansible_host:}
    wereport-host: {ansible_host:}


The ansible repository is run as follows:

$ export MOLECULE_FILE=$(pwd)/molecule/preprod/molecule.yml
$ ansible-playbook --private-key ~/.enough/ \
                   --vault-password-file=~/.enough/ \
                   -i inventories/common \
                   -i ~/.enough/ \

Some hosts contain private information that belong to users who only trust some administrators of the infrastructure. These hosts only have the ssh public keys of the trusted administrators and are listed in a dedicated inventory subdirectory. For instance, the administrator dachary owns the the inventory directory inventories/dachary. This administrator can then run the playbook on all the common infrastructure as well as all the hosts that can only be accessed by them as follows:

ansible-playbook --private-key ~/.enough/ \
                 --vault-password-file=~/.enough/ \
                 -i inventories/common \
                 -i inventories/dachary \
                 -i ~/.enough/ \