Ansible question concerning ansible-playbook vs ansible-pull

I have a gitlab repo setup for ansible. Now if I run ansible in push mode it works fine, but ansible-pull doesn’t recognize my hostnames.

My system hostnames are in an encrypted file sourced in group_vars/all and each host_vars file has an "ansible_host: “{{ vault_local_server_01_ansible_host }}” referance to the encrypted variable.

It seems as if ansible-pull does not bother to resolve the variables before trying to match hostnames. Does anyone have and experience working around this? Am I just being paranoid about my hostnames being public and should just stop obfuscating the names behind encrypted variables?

P.S. There are a lot of unfinished loose ends in the repo, its a work in progress.

Apologies if I’m misunderstanding anything.

The first thing I’d consider is encrypting the inventory file itself, that way you don’t have to reference variables outside that file. If you encrypt it with ansible-vault and then add a line to ansible.cfg referencing where to find the encryption key, you can consolidate that part.

Second, if you haven’t already tried it, I’m pretty sure what you’re looking for with the second part of your question is the -i option of ansible-pull. Don’t forget the comma.

ansible-pull -i $HOSTNAME, -U https://…

That’s off the top of my head, but I’m pretty sure that’s it. The -i option along with matching via the $HOSTNAME environment variable pretty much unlocks the entirety of the Ansible featureset, including those you didn’t think would work with ansible-pull.

If that wasn’t what you were looking for, let me know.

The first thing I’d consider is encrypting the inventory file itself, that way you don’t have to reference variables outside that file.

That would solve the name resolution issue but then my host_vars files would have to be named accordingly defeating the purpose of encrypting it. Unless there is a way to avoid naming the host_vars files using the exact inventory names.

Ill take a look at your other suggestion is a bit and see what I can work out.

Thanks for the response.

I resolved 90% of my issue and am working correctly at the moment. After realizing I wasn’t really using the host_vars files I followed your suggestion and just encrypted the inventory file after changing everything back to actual hostnames.

Once I did that, pointing the -i flag in the pull command back at the inventory file instead of $HOSTNAME made it run against all the groups correctly.

In the future if/when I need host specific variables assigned ill probably assign an alias name via variable within the inventory file to each host. I will use that to include a host specific var file in my play pre_tasks. Ill have to pay attention to how this may change variable precedence but it shouldn’t be a problem as long as I am aware of it.