Playbook 01 — Secret & Environment Management
File: ansible/01_setup_secrets.yml
Hosts: all_servers
Privilege escalation: sudo
This is the first playbook executed in the pipeline. Its sole responsibility is to prepare the deployment directory and generate the .env file that all Docker containers rely on for sensitive configuration values. Secrets are never stored in plaintext — they are decrypted from Ansible Vault at runtime and written to the target server with restricted file permissions (0600).
Overview
| Property | Value |
|---|---|
| Playbook file | ansible/01_setup_secrets.yml |
| Target hosts | all_servers |
become | Yes (sudo) |
| Output file | {{ remote_deploy_base }}/.env |
| File permissions | 0600 (owner read/write only) |
1. Task 1.0 — Create base deployment directory
Creates the root deployment directory on the remote server if it does not already exist. Ownership is set to the deployment_user variable defined in group_vars/all/all_servers.yml.
| ansible/01_setup_secrets.yml | |
|---|---|
| Variable | Description |
|---|---|
remote_deploy_base | Root path on the remote server (e.g. /home/pi/cyber-sentinel) |
deployment_user | OS user that owns all project files |
2. Task 1.1 — Generate .env from Ansible Vault template
Renders the templates/env.j2 Jinja2 template using values decrypted from Ansible Vault and writes the result to .env at the deployment root. The file is created with 0600 permissions so only the owner can read it.
| ansible/01_setup_secrets.yml | |
|---|---|
The env.j2 template injects all secrets needed by Docker Compose at container startup, including database passwords, API tokens, and service credentials. The actual values come from ansible/group_vars/all/vault.yml (Ansible Vault encrypted).
Security
The .env file is written with mode: '0600'. Never commit this file to version control. The .gitignore already excludes it.