you might need to play with githooks to get this kind of fine grained
permission.
On Fri, Jun 5, 2015 at 12:21 PM, David Reagan jer...@gmail.com wrote:
Would a sparse checkout or using git-archive prevent an attacker from simply
initiating a pull of the repo without those options, so that they
Hello David,
yes, sorry. I have all my secrets in a different directory/repository, my
playbooks and roles are completely clean of secrets.
You may of course deduce the general structure and machine names and maybe
even the topology.
Regards
Mirko
--
Sent from my mobile
Am 05.06.2015 17:22
So there are several aproaches to this:
- making a repo per host, which would isolate the compromisable data,
this is a LOT of work and requires workarounds for shared things
(roles, includes, etc) but this would work right now.
- use sparse checkouts, this is not supported currently by the git
So, two repos? One with passwords in it, another without?
--David Reagan
On Thu, Jun 4, 2015 at 11:47 PM, Mirko Friedenhagen mfriedenha...@gmail.com
wrote:
Hello David,
I am using push right now exclusively and thought about ansible-pull as
well.
My idea was to tag all tasks which need
ansible-pull checks out your entire project repository, then runs whichever
playbook you tell it to. That repo is basically a map to your entire
infrastructure.
So, how do you ensure a compromised server doesn't reveal all that
information to an attacker? (With the assumption that the