1

How do I ignore the group_vars vault file when running ansible-pull?

My repository (among other stuff) does machine init, joining the domain and software updates. I would like the software part to be handled by ansible-pull. No passwords are required for this, and no vault is necessary.

Unfortunately, initial machine setup after a fresh install does require some passwords which are set in group_vars/all.yml and is encrypted by vault. Whenever I run the ansible-pull command I run into vault decryption issues as there is no password provided.

Any advice on how to overcome this?

chicks
  • 1,911
  • 1
  • 13
  • 29
Frank Vermeulen
  • 21
  • 2

1 Answers1

1

Eventually I just got rid of the group_vars all together. I specified a new role that includes several other roles with 'include_role:' and added the vars directly to those roles with inline-vault variables:

- name: include ipaclient
  include_role:
    name: ipaclient
  vars:
    my_user: user
    my_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          123456123456123456123456123456132456...
Frank Vermeulen
  • 21
  • 2