Posts tagged: ansible

Vaulted Secrets Without Git Churn

2026-02-26T09:59:57Z

Ansible Vault keeps secrets out of sight, but the ciphertext changes on every encrypt. That turns Git diffs into noise and makes it hard to tell if anything actually changed. Decrypting, editing, and re-encrypting often leaves uncertainty about whether any plaintext changed. This is amplified when secret repos are tightly coupled to dependent repositories. A typical cycle includes decrypting, adding a key, updating a value, applying changes, and returning later with little clarity about what changed while secrets were in plaintext.

Today a new workflow was created with @gpt-5.2-codex to keep diffs clean and avoid re-encrypting when the plaintext is identical.

Waylon Walker

This repo has ansible vaulted secrets and an encrypt/decrypt process, but no way to compare. Please research compare options. The goal is to avoid changing files on encrypt/decrypt when plaintext is unchanged, ideally by comparing decrypted content and reusing the remote encrypted file.

@gpt-5.2-codex

The repo workflow will be reviewed, compare options identified, and a low-churn GitOps approach proposed to avoid re-encrypt noise.

The problem #

Re-encrypting a file with the same content produces different ciphertext. A simple decrypt/encrypt cycle can look like a full file change, even when the plaintext is identical. That creates uncertainty and makes GitOps workflows feel brittle.

Waylon Walker

Minimal changes needed to keep GitOps clear?

@gpt-5.2-codex

Add compare-before-encrypt, decrypted diffs, and ignore cache artifacts.

The solution at a glance #

Three pieces make it work:

Compare-before-encrypt
- just decrypt stores a plaintext hash and caches the current encrypted file.
- just encrypt compares the plaintext hash and, if unchanged, restores the cached ciphertext instead of re-encrypting.
Readable diffs for vaulted files
- .gitattributes sets private/* diff=ansible-vault.
- A small textconv script decrypts for git diff.
Ignored cache artifacts
- .vault-hashes/ and .vault-cache/ are ignored so they never hit the repo.

How it works #

Waylon Walker

How does compare-before-encrypt operate?

@gpt-5.2-codex

Hash plaintext on decrypt, reuse cached ciphertext on encrypt if the hash matches.

Compare-before-encrypt #

When a file is decrypted, a SHA-256 hash of the plaintext is created and stored in .vault-hashes/. A copy of the encrypted file is stored in .vault-cache/.

When encrypting, the current plaintext file is hashed. If the hash matches the cached hash, the cached encrypted file is restored instead of generating new ciphertext. Result: no churn when nothing actually changed.

Decrypted diffs #

Git is configured to use ansible-vault view as a text conversion step for files under private/. As a result, git diff shows decrypted content instead of ciphertext.

Enable the diff driver locally:

git config diff.ansible-vault.textconv "scripts/ansible-vault-diff"

What changes will be seen #

If a secret changes: the diff shows the plaintext change.
If decrypt and re-encrypt occurs without changes: the diff stays clean.
Large base64 blobs may still look like full-line diffs because they are single-line values.

Waylon Walker

What is the day-to-day workflow?

@gpt-5.2-codex

`just decrypt`, edit, then `just encrypt`. Clean diffs, no churn.

Recommended usage #

just decrypt
# apply edits
just encrypt

That is sufficient to keep Git history clean and reduce uncertainty about whether a secret actually changed.

💭 Ansible Galaxy - amazon.aws

2024-12-05T00:06:23Z

Ansible Galaxy

galaxy.ansible.com

Great examples for working with s3 buckets with ansible.

Note

This post is a thought. It’s a short note that I make about someone else’s content online #thoughts

Installing system nerd-fonts with ansible

2021-12-25T20:24:48Z

Lately I’ve been on a journey to really clean up my dotfiles, and I was completely missing fonts. I noticed jumping into a new vm I had a bunch of broken devicons when using Telescope with the devicons plugins.

This is one of those things that can be a total pain to get right on some systems, and it’s so nice when it’s just there for you pretty much out of the box.

make sure your user fonts directory exists
chech if the font you want exists on your machine
download and unzip fonts into the fonts directory
repeat 2-3 for all the fonts you use on your system

- name: ensure fonts directory
  file:
    path: "{{ lookup('env', 'HOME') }}/.fonts"
    state: directory

- name: Hack exists
  shell: "ls {{ lookup('env', 'HOME') }}/.fonts/Hack*Nerd*Font*Complete*"
  register: hack_exists
  ignore_errors: yes

- name: Download Hack
  when: hack_exists is failed
  ansible.builtin.unarchive:
    src: https://github.com/ryanoasis/nerd-fonts/releases/download/v2.1.0/Hack.zip
    dest: "{{ lookup('env', 'HOME') }}/.fonts/"
    remote_src: yes

https://www.youtube.com/watch?v=2MEmsinxRK4

I made a YT based on this post

Links #

ansible docs for builtin.unarchive

Setup a yaml schema | yamlls for a silky smooth setup

check out how I install yamlls using ansible

Installing packages with ansible only if they do not exist

2021-12-24T20:24:48Z

Part of my neovim setup requires having the black python formatter installed and callable. I install it with pipx so that I don’t have to manage a virtual environment and have it available everywhere. So far this works well for me, if there are ever breaking changes I may need to rethink this.

re-installing a bunch of things that are already installed can be quite a waste and really add up to my ansible run time, so for most of my ansible tasks that install a command like this I have been following this pattern.

check if the command is installed with command -v <command>
register that step
ignore if that step fails
add a when: <xxx>_exists is failed condition to the step that installs that command.

- name: check is black installed
  shell: command -v black
  register: black_exists
  ignore_errors: yes

- name: install black
  when: black_exists is failed
  shell: pipx install black

https://www.youtube.com/watch?v=MCFg6-W5SBI

I made a video based on this post, check it out if its your thing