To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a “deploy” user with the same password on every machine.
Another option is to use Ansible Vault to encrypt the yaml files. or to use a password manager. It’s never a good idea to keep passwords, private keys and other sensual data to the source code repository.

Pass

I use Pass for all of my personal or company passwords for almost an year. It’s like a Keepass but simpler. The project follows the UNIX philosophy “Do One Thing and Do It Well”.
Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I’ll append it when it appears online.

Reading sudo passwords from Pass with Ansible

It’s really simple. Just use “Lookup” with pipe inside your host_vars/examplehost file, like this:

1
ansible_sudo_pass: "{ { lookup('pipe', 'pass show Inventoryname/hosts/examplehost/myusername') }}"

And append sudo: yes to every command in the tasks, like this:

1
2
3
- name: Just a test task
copy: src=/etc/passwd dest=/tmp/passwdfile
sudo: yes

You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.