From cf3915fbd8e5437782b407580397f5fff50bf299 Mon Sep 17 00:00:00 2001
From: Lucas Ramage <oxr463@gmx.us>
Date: Sun, 3 May 2020 11:41:34 -0400
Subject: [PATCH] Document working with Ansible (#306)

Bug: https://github.com/StackExchange/blackbox/issues/295
See: https://docs.ansible.com/ansible/latest/user_guide/vault.html#providing-vault-passwords
See: https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-vault-password-file
---
 README.md | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 0045998..3aaa5f2 100644
--- a/README.md
+++ b/README.md
@@ -19,9 +19,11 @@ Table of Contents
 - [Compatibility](#compatibility)
 - [How is the encryption done?](#how-is-the-encryption-done)
 - [What does this look like to the typical user?](#what-does-this-look-like-to-the-typical-user)
-- [How to use the secrets with Puppet?](#how-to-use-the-secrets-with-puppet)
-  - [Entire files](#entire-files)
-  - [Small strings](#small-strings)
+- Configuration Management
+  - [How to use the secrets with Ansible?](#how-to-use-the-secrets-with-ansible)
+  - [How to use the secrets with Puppet?](#how-to-use-the-secrets-with-puppet)
+    - [Entire files](#entire-files)
+    - [Small strings](#small-strings)
 - File Management
   - [How to enroll a new file into the system?](#how-to-enroll-a-new-file-into-the-system)
   - [How to remove a file from the system?](#how-to-remove-a-file-from-the-system)
@@ -233,6 +235,22 @@ What does this look like to the typical user?
 
 Wait... it can be even easier than that! Run `blackbox_edit FILENAME`, and it'll decrypt the file in a temp file and call `$EDITOR` on it, re-encrypting again after the editor is closed.
 
+How to use the secrets with Ansible?
+===================================
+
+Ansible Vault provides functionality for encrypting both entire files and strings stored within files; however,
+keeping track of the password(s) required for decryption is not handled by this module.
+
+Instead one must specify a password file when running the playbook.
+
+Ansible example for password file: `my_secret_password.txt.gpg`
+
+```
+ansible-playbook --vault-password-file my_secret_password.txt site.yml
+```
+
+Alternatively, one can specify this in the `ANSIBLE_VAULT_PASSWORD_FILE` environment variable.
+
 How to use the secrets with Puppet?
 ===================================