Use ansible-vault instead of env var lookups

[JMLX42]

• [ ] refactor LAPRIMAIRE_2022_SSH_KEY
• [ ] refactor GHOST_DATABASE_USER
• [ ] refactor GHOST_DATABASE_PASSWORD
• [ ] refactor MATOMO_DATABASE_ROOT_PASSWORD
• [ ] refactor MATOMO_DATABASE_PASSWORD
• [ ] refactor MATOMO_PASSWORD
• [ ] refactor DISCOURSE_POSTGRESQL_PASSWORD
• [ ] refactor DISCOURSE_SMTP_PASSWORD
• [ ] refactor DISCOURSE_REDIS_PASSWORD
• [ ] refactor GRAFANA_ADMIN_PASSWORD

[JMLX42]

Relevant official documentation: https://docs.ansible.com/ansible/2.9/user_guide/vault.html

[JMLX42]

Relevant tutorial (in French): https://blog.stephane-robert.info/post/ansible-vault/

[jerome-caucat]

@JMLX42 I can start to setup ansible-vault:

• With a default password "password".
• Encrypt the variables listed in your first comment. Encrypt host_vars/laprimaire_2022/main.yml. (That is where the default values are stored right?) (I could not find any use of LAPRIMAIRE_2022_SSH_KEY, has it been replaced?) (We would still have the env var lookups, if we need them at some point, but the default values would be protected)
• Try changing the password to make sure we can.
• Make sure that the provisioning and the project still work.

Then you can:

• Change the ansible-vault password (rekeying-encrypted-files).
• Store the password as a GitHub encrypted-secret.
• Change the default values in the encrypted host_vars/laprimaire_2022/main.yml (editing-encrypted-files).
• Do #25 using ansible-vault.

Then I can use the GitHub encrypted-secret to do #3.

Have I missed something?

[jerome-caucat]

I did miss something: the ansible-vault password will be required to provision a VM locally so the devs will need to be able to access it.

[jerome-caucat]

I guess we could use groups inventories, dev and prod for example where dev uses the current un-encrypted default values and prod uses the new encrypted values.

Edit: inventories may be more appropriate inventaires Ansible (FR).