ask-become-pass no more

petemounce · May 31, 2024 · 214aa0b · 214aa0b
1 parent 032b2b0
commit 214aa0b
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 23 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,8 +3,7 @@
 *.orig
 *.zip
 *.retry
-*.sublime-workspace
 *.vagrant
 config.yml
-project.code-workspace
 roles-external
+secrets.yml
diff --git a/ansible.cfg b/ansible.cfg
@@ -11,6 +11,7 @@ remote_tmp            = /tmp
 roles_path            = ./roles:./roles-external:/etc/ansible/roles
 # Use the YAML callback plugin.
 stdout_callback       = yaml
+vault_password_file   = bin/vault_pw.sh
 
 [ssh_connection]
 pipelining = True

diff --git a/bin/vault_pw.sh b/bin/vault_pw.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -o errexit -o errtrace -o nounset -o pipefail
+
+/usr/bin/security find-generic-password -a "${USER}" -s "workstation" -w
diff --git a/playbook.yml b/playbook.yml
@@ -5,6 +5,7 @@
 
   vars_files:
     - vars/default.yml  # overridden by include_vars below
+    - secrets.yml
 
   pre_tasks:
     - include_vars: "{{ item }}"

diff --git a/readme.md b/readme.md
@@ -2,24 +2,50 @@
 
 This is my mac; there are many like it, but this one is mine.
 
-```bash
-xcode-select --install || echo "xcode-select has been installed already, probably."
-# then hit install on the GUI popup
-```
-
-```bash
-curl --location --fail --show-error --silent https://github.com/petemounce/workstation/archive/refs/heads/master.zip --output "workstation-master.zip"
-unzip -d "." "workstation-master.zip"
-cd workstation-master
-bash bin/bootstrap.sh
-[[ -d ".venv" ]] && source ".venv/bin/activate"
-bash bin/run.sh --list-tasks
-```
-
-If you're happy with that set of tasks and have read what they do:
-
-```shell
-bin/run.sh
-```
-
-You can pass flags and arguments to `bin/run.sh` and `ansible-playbook` will receive them.
+1. Install XCode developer tools:
+
+    ```bash
+    xcode-select --install || echo "xcode-select has been installed already, probably."
+    # then hit install on the GUI popup
+    ```
+
+1. To avoid needing to use `--ask-become-pass` and typing your user's password on every run-through:
+
+    1. Make an ansible vault password inside macOS keychain to avoid needing to type your account password every run-through:
+
+        ```bash
+        security add-generic-password -a "${USER}" -j "ansible-vault password for workstation repo" -s "workstation" -w
+        ```
+
+        ... and supply a password then confirm it.
+
+    1. Make an ansible-vault encrypted file with your user account's password in it, like:
+
+        ```bash
+        ansible-vault create "secrets.yml"
+        ```
+
+        ... with content:
+
+        ```yaml
+        ansible_become_password: 'your password'
+        ```
+
+1. Get bootstrapped:
+
+    ```bash
+    curl --location --fail --show-error --silent https://github.com/petemounce/workstation/archive/refs/heads/master.zip --output "workstation-master.zip"
+    unzip -d "." "workstation-master.zip"
+    cd workstation-master
+    bash bin/bootstrap.sh
+    [[ -d ".venv" ]] && source ".venv/bin/activate"
+    bash bin/run.sh --list-tasks
+    ```
+
+1. If you're happy with that set of tasks and have read what they do:
+
+    ```shell
+    bin/run.sh
+    ```
+
+    You can pass flags and arguments to `bin/run.sh` and `ansible-playbook` will receive them.