EDIT: This is a home setup. My network uses UDMPro for gateway/dhcp/vlans with UniFi switches and a PiHole for ad-blocking and static dns addresses (unifi doesnt allow for custom dns entries). My freeipa server is a proxmox VM. It isnt a business environment, but I try and emulate one as best I can with my budget and time available.
While looking through the repo I noted that your hosts inventory file has generic names in it so I assume this isnt your actual live repo and that your live repo is private or hosted internally. My question is, with obviously sensitive information (passwords and such) notwithstanding where do you draw the line for what is appropriate for a public repo?
I saw the user creation used variables for the user password but I couldnt locate an entry point where these get passed in. What method do you use to feed passwords and such in to the ansible configuration? I avoided looking into ansible for a long time because I diddnt see a straightforward way to accomplish this and diddnt want to have half configured users on computers. I currently have a freeipa server now which was pretty easy to get setup and running, but I would like to have an ansible option as well for pushing out locally defined users.
You are correct. The Ansible repo you’re referring to is a snapshot of the private repository I use, hosted elsewhere.
I honestly have mixed feelings about what is appropriate for public inclusion. An argument could be made that nothing in my repository is harmful if publicly known. For example, there are IP addresses in there, and anyone can know what those IP addresses are if they do a DNS lookup, and knowing an IP address doesn’t increase chances of intrusion much, if at all. My password hashes are in there, but they are very strong in terms of cryptography, so it’s unlikely anyone would be able to reverse engineer those hashes. And even if they did, I only allow connections from very specific IP addresses anyway because my servers have a fairly decent firewall. It all comes down to how much work someone wants to put into it. I’m inclined to think it probably doesn’t matter, given the context around it.
For the second question, the variable for the user password is stored in the base role. Inside the <repo_dir>/roles/base directory, there’s a subdirectory named “vars”. Inside there, is a file named “main.yml”. The contents look like this:
That’s all that’s there. I redacted a big chuck of the cryptography hash on the first line, but you get the idea.
Hopefully that helps.
Yes, Thank you very much for getting back. I intend to setup my entire network to configure first from freeipa and second from ansible pulls. I have quite a bit of work to do before I sit down and start setting up the ansible side of things in earnest but the idea/topic has greatly piqued my interest.
btw, I love your videos. Yours and Lawrence systems were my top two favorite tutorial channels before I knew the two of you were affiliated off youtube. Great content, although I dont think you give Fedora enough love… :: )
Thank you, I’m glad you like our content. I’m glad he and I are able to collaborate more, we’re usually so busy most of the time but I think we found a schedule that works.
I do review Fedora from time to time, but to be honest, it doesn’t often impress me. No judgement against Fedora though. I just kind of feel like it often lags behind other distros but that doesn’t matter to everyone.