Tools like gocryptfs have some advantages when they’re used in combination with systemd, because dependency, status and permissions can easily be defined.
Since it needs a passphrase, it would either require a plain text file on the system or a password via stdin by using systemd-ask-password
.
The stdin variant is usually preferred since passphrases in plain text files have some disadvantages.
While Ansible has a systemd module it doesn’t seem to give a possibility to insert such arguments directly.
Thus I’m curious what the preferred way of handling service (re-)restarts with password inputs is when using Ansible.
Something that would do something like this pseudocode
- name: Start GoCryptFs
systemd:
name: gocryptfs
state: started
daemon_reload: true
args:
stdin: "{{ gocryptfs_password }}"