This is how I manage my own infrastructure. It’s a project, but it’s not really intended for public consumption… in particular, documentation is pretty much nonexistent.
It’s a repo that builds a Docker image with all the prerequisites I need,
like libraries for talking to AWS and so forth.
I commit encrypted secrets to the repo,
and then start the image and run psecrets unlock.
That prompts me for my GPG passphrase, and once it’s entered correctly,
I can deploy to all my infrastructure seamlessly.
The Docker image is intended to be short-lived, so that my secret key stays out of memory unless necessary.
It also is a great way to work if you want to deploy from machines on different OSes,
because the prereqs can be built into the Docker image one time, and then run from anywhere.
The code may be useful to others in bits and pieces though. I have referenced it from a few blog posts:
- Let’s Encrypt DNS challenges for appliances behind a firewall shows how I get Let’s Encrypt certificates without putting my private infrastructure on the public Internet
- An Ansible filter is a pure function shows an Ansible filter I wrote
