w4tsn's Infrastructure
Secrets
Secrets are stored in so called Ansible vault(s). They are created via ansible-vault create ... and edited with ansible-vault edit ....
On a rollout of an Ansible playbook Ansible has to be made aware of the fact that some configuration files are encrypted. Use ansible-playbook --ask-vault-pass ... to tell Ansible to ask for a passphrase. The passphrase will be asked for after the become passphrase.
The deployment bot has the decryption key in it’s environment. See CI/CD for details.