automate usage of SSH local key for git deployment with ansible

Question

I am working with vagrant and ansible. I want to automate the deployment role of ansible (You can check my repo here). For this purpose, I am trying to deploy my local ssh key into my VPS and my vagrant guest machine (I am trying SSH agent forwarding).

GOAL

Automate deployment process with git using ansible. I've already done this:

---

- name: read-write git checkout from github
  git: repo={{ repository }} dest=/home/site

Where:

---
# Variables here are applicable to all host groups

repository: git@bitbucket.org:dgnest/dgnest.git

PROBLEM

When I do: "vagrant provision", the console stop here:

TASK: [deployment | read-write git checkout from github] ********************** 

That's because I haven't set up the ssh keys.

I TRIED

I would like to use the key_file option that the git module of ansible has. But it fails too.

---                                                                             

- name: read-write git checkout from github                                     
  git: repo={{ repository }} dest=/home/site key_file=/home/oscar/.ssh/id_rsa.pub

Another option is to copy my ~/ssh/id_rsa.pub into each VPS and vagrant, but my problem in this case is to handle with all the different users. Vagrant uses the "vagrant" user and my VPS uses another ones, so I had to put my ssh local key into each of these user?

Hope you can help me. Thank you.

UPDATE:

I've just automated the @leucos answer (Thanks). Copying the private and public rsa keys. I share this link with the implementation.

Answer 1

If you choose the key_file way, my guess is that the key must be on the VPS/vagrant machine. So you might want to copy it first. Note that you need a private key here, not a public one.

For your second option, you could push your key to specific users depending on the instance type. Suppose the user in VPS is vpsuser, and that you deploy mostly on these VPS, you could do :

group_vars/all :

deploy_user=vpsuser

group_vars/vagrant

deploy_user=vagrant

Then, you could have a playbook like :

- name: send key to remote deploy user
  copy: src=files/private_key dest=~/{{deploy_user}}/.ssh/priv_key

- name: read-write git checkout from github                                     
  git: repo={{ repository }} dest=/home/site key_file=~/{{deploy_user}}/.ssh/priv_key

However, I have no idea how the password for the remote private key might be asked (I don't think ansible allows authentication agent forwarding by default (check -vvvv output), you might have to fiddle with your ~/.ansible.cfg).

I suggest that you use a specific key for deployment purposes (with read-only perms on your git repository). This way, your private key won't leave your machine. Make this special key password-less. I think the security trade-off is acceptable since - it will just protect your code, - your code is checked out on the machine where the private key is so the game is already over.

Another option is to distribute your application from your local checkout using ansible : make a tarball, copy files over, untar, and you're set. This way, you don't need to leave security credentials on your VPS.

Good luck.

Answer 2

You don't have to copy your local SSH key to remote servers. Instead, you just create file named ansible.cfg in the directory you are running deployment scripts from, and put the next settings:

[ssh_connection]
ssh_args = -o ForwardAgent=yes

That's it, now your local identity is forwarded to the remote servers you manage with Ansible.