So there are several aproaches to this: - making a repo per host, which would isolate the compromisable data, this is a LOT of work and requires workarounds for shared things (roles, includes, etc) but this would work right now.
- use sparse checkouts, this is not supported currently by the git module and requries newer versions of git, this still copies all the data it just does not make it available in the working directory (this might still change at the git level). - use git archive's prefix option, also not currently supported by the git module, but this would provide the best protection against leaking data unnecessarily to each target machine. All require that the repo is structured in such a way that each host (or similar group of hosts) can have access to only their subset of data and yet still get the shared resources they need (symlinks?). A different approach is to vault all sensitive data with different passwords for the different host 'security zones', each ansible-pull will only be able to decrypt the data relevant to themselves. -- Brian Coca -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8kxpL0He7MPR5sb2VLSUv8FjrCL2gWqiZCYb_SjPPHAXw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
