Encrypt your files by Ansible Vault

So, in previous blog I have given you a brief description about ansible roles. In this blog I am going to discuss about another very important topic that is ansible vault.

Why we need encryption?

We write our ansible playbook, jinja templates and other files in normal unencrypted format but we can’t keep our crucial information such as password in unencrypted format so that’s why we need encryption.

How we can encrypt?

Just like we use ansible-playbook to run our ansible playbooks we have a option called ansible-vault to do our encryption and decryption work. Here below some important and useful commands –

  • we use ansible-vault create a_file to create a encrypted file
$ ansible-vault create a_file
New Vault password: 
Confirm New Vault password:
  • we use ansible-vault encrypt a_existing_file to encrypt a existing file
$ ansible-vault encrypt a_existing_file 
New Vault password: 
Confirm New Vault password: 
Encryption successful
  • we use ansible-vault view a_file to view the encrypted file
$ ansible-vault view a_file 
Vault password: 
You are reading Aniruddha's Blog ;)
  • we use ansible-vault decrypt a_file to decrypt any encrypted file
$ ansible-vault decrypt a_file 
Vault password: 
Decryption successful

What is vault ID?

A vault ID is an identifier for one or more vault secrets. Vault IDs, you must provide an ID of your choosing and a source to obtain it’s password (either prompt or a file path). We use --vault-id to provide the ID. Here below examples how we do –

  • We encrypt a file with ID
$ ansible-vault encrypt --vault-id id1@prompt a_file 
New vault password (id1): 
Confirm vew vault password (id1): 
Encryption successful
  • we view a file with ID
$ ansible-vault view --vault-id id1@prompt a_file 
Vault password (id1): 
You are reading Aniruddha's Blog ;)
  • we decrypt a file with ID
$ ansible-vault decrypt --vault-id id1@prompt a_file 
Vault password (id1): 
Decryption successful

Thank you 🙂

Customize your vim like any other IDE

So, almost 2 years ago I heard about C programming language from my close friend and I thought I should give it a try and I asked “how can I start with it?” and he gave me some notes and said just install turboC++ and start writing code. So, I installed it and started with C language and eventually I got demotivated and quit programming after some time. Actually it was not fun and engaging with that environment. After one year in my college their was a seminar of network security and the guest speaker said that everyone should try python once and it is really amazing language. And I went home and searched for the python in the YouTube and found lots of tutorial on it and picked up one and that tutorial is using VSCode after that I loved that text editor and still I use it in my daily work.

In my recent days I got to know about a new text editor called vim and I recently installed and start using it. The most funny thing is when I first open a file with it I was not able to exit from it :p. Now I use it in most of the time while writing code. When you will first install it then it will look something below like this

The vim allow us to customize it however we want and we customize it by writing some code in the ~/.vimrc and if the file is not there you can add it by doing touch ~/.vimrc command. Now add below line to your file first.

syntax enable
set tabstop=4
set shiftwidth=4
set expandtab
set number
filetype indent on
set autoindent
set ruler
set showcmd
set incsearch
set hlsearch

Now we will add some plugins in this file and then we are going to install it.There are couple of ways to install plugins and the way i like is by Vundle And the section below shows how to add plugins .

set nocompatible   
filetype off                  

set rtp+=~/.vim/bundle/Vundle.vim
call vundle#begin()

Plugin 'VundleVim/Vundle.vim'
Plugin 'wting/rust.vim'
Plugin 'racer-rust/vim-racer'
Plugin 'scrooloose/nerdTree' "Documents tree
Plugin 'davidhalter/jedi-vim' "python autocompletion
Plugin 'tpope/vim-fugitive' "git integration
Plugin 'scrooloose/syntastic' "code syntaxis
Plugin 'Raimondi/delimitMate' "automatic closing of quotes, parenthesis...
Plugin 'yggdroot/indentline' "Show indent lines (useful for loops)
Plugin 'tmhedberg/SimpylFold' "Python folding
Plugin 'vim-airline/vim-airline'
Plugin 'vim-airline/vim-airline-themes'
Plugin 'ervandew/supertab' "<Tab> for code completion
Plugin 'ctrlpvim/ctrlp.vim'    "Finder for vim
Plugin 'jistr/vim-nerdtree-tabs'

call vundle#end()   

filetype plugin indent on

That’s how we add Plugins to the vim by writing Plugin and after that what plugin we want to install. Now to install plugins first type Esc then : and after that type PluginInstall then press enter and all the plugins will install one by one.

Now vim is looks something like blow image.

Thank you 🙂

Reusable playbooks, Ansible roles

So, in this blog I have told you about “what is Ansible, playbooks, hosts?” now it is the time to go further with roles. In the world of programming we have a principle called DRY which is “Don’t repeat yourself” means don’t do any work again and again. For that we try to make a process that we have to write the code one time and we can use it again and again without rewriting the whole code again and again.

In the era of automation Ansible also gives us a certain technique that if we need a part of playbook multiple files then we can write it inside a role and use it again and again. It also helps us to reduce the complexity of the code like it is always better to break down a big playbook in a small parts and use it.

Basically for the role we define it inside a roles directory. inside this directory we define or every role and inside the role their will be multiple directories below you can see it –

$ tree .
.
├── roles
│   └── webservers
│       ├── defaults
│       ├── files
│       ├── handlers
│       ├── meta
│       ├── tasks
│       ├── templates
│       └── vars
└── web.yml

Roles expect files to be in certain directory names. Roles must include at least one of these directories, however it is perfectly ok to exclude any which are not being used. When in use, each directory must contain a main.yml file, which contains the relevant content:

  • tasks – contains the main list of tasks to be executed by the role.
  • handlers contains handlers which may be used by the roles or elsewhere in the code.
  • defaults contains variables for the roles.
  • vars contains other variables for the roles.
  • files contains files which will deploy by the roles.
  • templates contains templates which can be deployed via roles.
  • meta contains meta data.

So, now see by example how roles helps us in the various aspects of automation. Below the code is without roles –


---
- hosts: webservers
  gather_facts: yes
  remote_user: root
  become: true
  tasks:
    - name: Ensure group {{ item }} exist
    group:
      name: "{{ item }}"
      state: present
    loop:
      - mozilla
      - dgplug
  - name: add several users to several group
    user:
      name: "{{ item.name }}"
      state: present
      groups: "{{ item.groups }}"
    loop:
      - { name: 'testuser1', groups: 'mozilla' }
      - { name: 'testuser2', groups: 'dgplug' }
  - name: remove several users to several group
    user:
      name: "{{ item.name }}"
      state: absent
      groups: "{{ item.groups }}"
    loop:
      - { name: 'testuser1', groups: 'mozilla' }
      - { name: 'testuser2', groups: 'dgplug' }

Now see how we can implement this via roles –

# web.yml
---
- hosts: webservers
  become: true
  roles:
    - role: '/home/aniruddha/Desktop/ansible-playbook/roles/webservers'

# roles/webservers/tasks/add_group/main.yml
---
tasks:
  - name: Ensure group {{ item }} exist
  group:
    name: "{{ item }}"
    state: present
  loop:
    - mozilla
    - dgplug

# roles/webservers/tasks/add_user_to_group/main.yml
---
tasks:
  - name: add several users to several group
  user:
    name: "{{ item.name }}"
    state: present
    groups: "{{ item.groups }}"
  loop:
    - { name: 'testuser1', groups: 'mozilla' }
    - { name: 'testuser2', groups: 'dgplug' }

# roles/webservers/tasks/remove_user_from_group/main.yml
---
tasks:
  - name: Remove several users from different group
  user:
    name: "{{ item.name }}"
    state: absent
    group: "{{ item.groups }}"
  loop:
    - { name: 'testuser1', groups: 'mozilla' }
    - { name: 'testuser2', groups: 'dgplug' }

Thank you 🙂