Replacing keyczar by native Ansible vault.

[dverdin]

Not working for now because password aren't decrypted. But all scripts (environment generation, etc.) are updated.
Some script might not be necessary anymore and replaced by simple calls to ansible-vault.
I'll cleanup after.

[racke]

I started on a fresh VM with a fresh environment. The contents of the file environments/local/group_vars/sympa.yml are:

# Group vars for sympa servers


sympa:
  db:
    app_user: sympa
    app_password: "{{ lookup('file',inventory_dir+'/private/password/sympa_db_app_password') }}"
    readonly_user: sympareadonly
    readonly_password: "{{ lookup('file',inventory_dir+'/private/password/sympa_db_readonly_password') }}"
  lists_path: /var/lib/sympa/list_data
  arc_path: /var/lib/sympa/archives

Ansible simply uses the content of the files. That's the problem - and there is no benefit of having these files around, or?

[racke]

Actually I don't understand why we need this scripting framework. Ansible could produce these environments from the "templates" as well and updates of your inventory would be more reliable. And it would be way more readable.

[racke]

Documentation bug:

vault-password directory

This directory contains the secret used by keyczar to encrypt the secrets.

[dverdin]

Sorry for my recent silence. I was on something else.

• I fixed the README,
• about the isolated files containing the passwords, I like the idea of having all the secrets in one place, that can optionally be stored/versioned separately from the rest of the environment. But as they are encrypted by default, that might be overkill, However, with the scripts, we can easily access one of the passwords by simply decrypting a file
• about the scripts: I don't think they are absolutely necessary, though I regularly use the utility to encrypt/decrypt passwords to make tests and/or read in the database.

[racke]

Superseded by #70