The default credentials (for Weblate, Discourse etc.) are only suitable for integration testing and must be overriden before deploying on publicly available hosts. The recommended way of doing this is to:

  • create a repository in ~/.enough/
  • for each files containing secrets in inventories/common (i.e. {host,group}_vars/**/*.yml`) create a matching file in ~/.enough/
  • encrypt those files with ansible vault
  • share the password to decrypt the files with trusted administrators
  • push in a private repository

The encrypted secrets are kept in a private repository to not be publicly exposed to brute force attacks.


Manually create ~/.enough/ from ~/ and check it works:

$ OS_CLIENT_CONFIG_FILE=~/.enough/ openstack --os-cloud ovh server list
$ echo domain: | sudo tee ~/.enough/

Getting the production repository

$ git clone ~/.enough/
$ ansible-vault decrypt \
                --vault-password-file ~/.enough/ \


Creating new hosts

From a checkout of the infrastructure repository:

$ export MOLECULE_FILE=$(pwd)/molecule/preprod/molecule.yml
$ ansible-playbook --private-key ~/.enough/ \
                 --vault-password-file=~/.enough/ \
                 -i inventories/common \
                 -i ~/.enough/ \

It will create the inventories/01-hosts.yml file, which must be manually copied to ~/.enough/ and committed to the repository.


The ansible-playbook run will fail with no filter named 'molecule_header' but it is ok to ignore that error.

      ansible_port: '22'
      ansible_user: debian


The ansible repository is run as follows:

$ export MOLECULE_FILE=$(pwd)/molecule/preprod/molecule.yml
$ ansible-playbook --private-key ~/.enough/ \
                   --vault-password-file=~/.enough/ \
                   -i inventories/common \
                   -i ~/.enough/ \

Some hosts contain private information that belong to users who only trust some administrators of the infrastructure. These hosts only have the ssh public keys of the trusted administrators and are listed in a dedicated inventory subdirectory. For instance, the administrator dachary owns the the inventory directory inventories/dachary. This administrator can then run the playbook on all the common infrastructure as well as all the hosts that can only be accessed by them as follows:

ansible-playbook --private-key ~/.enough/ \
                 --vault-password-file=~/.enough/ \
                 -i inventories/common \
                 -i inventories/dachary \
                 -i ~/.enough/ \