For some reason, Ansible developers felt like it was important that
users name their host groups according to Python identifier naming
conventions. This prevents, among other things, hyphens from being used
in group names. Luckily, this ridiculous behavior is configurable.
Newer versions of ansible no longer require a single top-level temporary
directory per user, as each run creates its own. Combined with the weird
random failures on *dc0.pyrocufflink.blue* that prevent Jenkins from
using Ansible occasionally, it's better to just let Ansible create its
own temporary directory directly in `/var/tmp` and clean up after itself
when it finishes.
Apparently, the `vault_password_file` setting in `ansible.cfg` overrides
the `--vault-password-file` command-line argument, which breaks the
Jenkins `ansiblePlaybook` task.
Many hosts (should) have `/tmp` mounted with the `noexec` flag, which
prevents Ansible modules written there from running. To work around
this, the `remote_tmp` configuration option should be set to a path
under `/var/tmp`, which is not mounted noexec.
Encrypting the vault password with GPG protects the key when stored on
disk and allows it to be accessed non-interactively, as long as the
GnuPG agent is set up correctly.
Dustin