adding certificates to the public images

removing sync'd folder for /vagrant

change identity file default to none

removing check for git identity

typo

typo

adding python-yaml for dumping vars

certs settings changes for local disk generation

adding var dump var

adding template for certs

adding certs to default sites

adding 400 condition to the certs nginx template

updating update script for certs, removing discern

adding cert to help

giving www-data write permission to the web root

typo

adding download url

fixing web root

adding certs download url

adding more config for cert template dir, verify url

moving extra vars into the vagrantfile

adding verify url to vagrantfile

syntax

look for valid.html

adding ownertrust export

adding the trust import

removing skip-tags for reconfigure

upgrading to latest released ansible

adding carriage return to owner trust

setting cert urls in extra vars

moving extra vars to vagrantfile

adding new accept_hostkey parameter to all git calls

set key_file

changing dir for userknownhostsfile

adding more verbosity

changing knownhostsfile in environment

don't use userknownhostsfile

setting accept_hostkey back to yes

adding .ssh dirs for the 1.5 git module

adding certs nginx site

playbooks/edx-east/edx_continuous_integration.yml

@@ -18,6 +18,7 @@
       - ora
       - xqueue
       - xserver
+      - certs
       nginx_default_sites:
       - lms
     - edxlocal

playbooks/edx_sandbox.yml

@@ -38,7 +38,7 @@
     - forum
     - { role: "xqueue", update_users: True }
     - ora
-    - discern
+    - certs
     - edx_ansible
     - role: datadog
       when: ENABLE_DATADOG

playbooks/roles/analytics-server/tasks/deploy.yml

@@ -25,6 +25,7 @@
 - name: checkout code
   git:
     dest={{ as_code_dir }} repo={{ as_source_repo }}
+    accept_hostkey=yes
     version={{ as_version }} force=true
   environment:
     GIT_SSH: $as_git_ssh

playbooks/roles/analytics/tasks/deploy.yml

@@ -25,6 +25,7 @@
 - name: checkout code
   git:
     dest={{ analytics_code_dir }} repo={{ analytics_source_repo }}
+    accept_hostkey=yes
     version={{ analytics_version }} force=true
   environment:
     GIT_SSH: $analytics_git_ssh

playbooks/roles/certs/defaults/main.yml

@@ -25,18 +25,39 @@ CERTS_AWS_KEY: ""
 CERTS_AWS_ID: ""
 # GPG key ID, defaults to the dummy key
 CERTS_KEY_ID: "FEF8D954"
-# Path to git identity file for pull access to
-# the edX certificates repo - REQUIRED
-# Example - {{ secure_dir }}/files/git-identity
-CERTS_GIT_IDENTITY: !!null
+# Contents of the identity for a private
+# repo. Leave set to "none" if using the public
+# certificate repo
+CERTS_GIT_IDENTITY: "none"
 # Path to public and private gpg key for signing
 # the edX certificate. Default is a dummy key
 CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"
 
+# This defaults to the public certificates repo which is
+# used for open-edx
+CERTS_REPO: "https://github.com/edx/read-only-certificate-code"
+CERTS_NGINX_PORT: 18090
+CERTS_WEB_ROOT: "{{ certs_data_dir }}/www-data"
+CERTS_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_DOWNLOAD_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_VERIFY_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+# Set to false if using s3 or if you don't want certificates
+# copied to the web root
+CERTS_COPY_TO_WEB_ROOT: true
+CERTS_S3_UPLOAD: false
+
+# Can be set to a different repo for private
+# templates, fonts, etc.
+CERTS_TEMPLATE_DATA_DIR: 'template_data'
+# this is the trust export, output of
+# gpg --export-ownertrust
+CERTS_OWNER_TRUST: "A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:\n"
+
 ########## Internal role vars below
 
 certs_user: certs
 certs_app_dir: "{{ COMMON_APP_DIR }}/certs"
+certs_data_dir: "{{ COMMON_DATA_DIR }}/certs"
 certs_code_dir: "{{ certs_app_dir }}/certificates"
 certs_venvs_dir: "{{ certs_app_dir }}/venvs"
 certs_venv_dir: "{{ certs_venvs_dir }}/certs"
@@ -44,7 +65,6 @@ certs_venv_bin: "{{ certs_venv_dir }}/bin"
 certs_git_ssh: /tmp/git_ssh.sh
 certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
 certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
-certs_repo: "git@github.com:/edx/certificates"
 certs_version: 'master'
 certs_gpg_dir: "{{ certs_app_dir }}/gnupg"
 certs_env_config:
@@ -57,6 +77,13 @@ certs_env_config:
   CERT_KEY_ID: $CERTS_KEY_ID
   LOGGING_ENV: ""
   CERT_GPG_DIR: $certs_gpg_dir
+  CERT_URL: $CERTS_URL
+  CERT_DOWNLOAD_URL: $CERTS_DOWNLOAD_URL
+  CERT_WEB_ROOT: $CERTS_WEB_ROOT
+  COPY_TO_WEB_ROOT: $CERTS_COPY_TO_WEB_ROOT
+  S3_UPLOAD: $CERTS_S3_UPLOAD
+  CERT_VERIFY_URL: $CERTS_VERIFY_URL
+  TEMPLATE_DATA_DIR: $CERTS_TEMPLATE_DATA_DIR
 
 certs_auth_config:
   QUEUE_USER: $CERTS_QUEUE_USER

playbooks/roles/certs/files/example-key-ownertrust.txt

+A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:

playbooks/roles/certs/tasks/deploy.yml

@@ -36,14 +36,19 @@
     owner={{ certs_user }} mode=750
   notify: restart certs
 
+# This key is only needed if you are pulling down a private
+# certificates repo
 - name: install read-only ssh key for the certs repo
   copy: >
     content="{{ CERTS_GIT_IDENTITY }}" dest={{ certs_git_identity }}
     force=yes owner={{ certs_user }} mode=0600
+  when: CERTS_GIT_IDENTITY != "none"
   notify: restart certs
 
 - name: checkout certificates repo into {{ certs_code_dir }}
-  git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
+  git: >
+    dest={{ certs_code_dir }} repo={{ CERTS_REPO }} version={{ certs_version }}
+    accept_hostkey=yes
   sudo_user: "{{ certs_user }}"
   environment:
     GIT_SSH: "{{ certs_git_ssh }}"
@@ -51,6 +56,7 @@
 
 - name: remove read-only ssh key for the certs repo
   file: path={{ certs_git_identity }} state=absent
+  when: CERTS_GIT_IDENTITY != "none"
   notify: restart certs
 
 - name : install python requirements

playbooks/roles/certs/tasks/main.yml

@@ -31,10 +31,6 @@
 #     - supervisor
 #     - certs
 #
-- name: Checking to see if git identity is set
-  fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
-  when: not CERTS_GIT_IDENTITY
-
 - name: create application user
   user: >
     name="{{ certs_user }}"
@@ -43,7 +39,7 @@
     shell=/bin/false
   notify: restart certs
 
-- name: create certs app and data dirs
+- name: create certs app dirs
   file: >
     path="{{ item }}"
     state=directory
@@ -52,7 +48,20 @@
   notify: restart certs
   with_items:
     - "{{ certs_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ certs_app_dir }}/.ssh"
     - "{{ certs_venvs_dir }}"
+    - "{{ certs_data_dir }}"
+
+# The certs web root must be owned
+# by the web user so the certs service
+# can write files there.
+- name: create certs web root
+  file: >
+    path="{{ CERTS_WEB_ROOT }}"
+    state=directory
+    owner="{{ common_web_group }}"
+    group="{{ certs_user }}"
 
 - name: create certs gpg dir
   file: >
@@ -69,6 +78,12 @@
   notify: restart certs
   register: certs_gpg_key
 
+- name: copy the pgp trust export
+  copy: >
+    content="{{ CERTS_OWNER_TRUST }}"
+    dest={{ certs_app_dir }}/trust.export
+    owner={{ common_web_user }} mode=0600
+  notify: restart certs
 
 - name: load the gpg key
   shell: >
@@ -77,4 +92,11 @@
   when: certs_gpg_key.changed
   notify: restart certs
 
+- name: import the trust export
+  shell: >
+    /usr/bin/gpg --homedir {{ certs_gpg_dir }} --import-ownertrust {{ certs_app_dir }}/trust.export
+  sudo_user: "{{ common_web_user }}"
+  when: certs_gpg_key.changed
+  notify: restart certs
+
 - include: deploy.yml tags=deploy

playbooks/roles/demo/tasks/deploy.yml

 ---
 
 - name: check out the demo course
-  git: dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+  git: >
+    dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+    accept_hostkey=yes
   sudo_user: "{{ demo_edxapp_user }}"
   register: demo_checkout
 

playbooks/roles/discern/tasks/deploy.yml

@@ -33,13 +33,17 @@
     - restart discern
 
 - name: git checkout discern repo into discern_code_dir
-  git: dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+  git: >
+    dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+    accept_hostkey=yes
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern
 
 - name: git checkout ease repo into discern_ease_code_dir
-  git: dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+  git: >
+    dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+    accept_hostkey=yes
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern
@@ -48,7 +52,7 @@
 - name : install python pre-requirements for discern and ease
   pip: >
     requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
-    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"  
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
   sudo_user: "{{ discern_user }}"
   notify:
     - restart discern

playbooks/roles/edx_ansible/defaults/main.yml

@@ -29,6 +29,7 @@ edx_ansible_debian_pkgs:
   - libxml2-dev
   - libxslt1-dev
   - curl
+  - python-yaml
 edx_ansible_app_dir: "{{ COMMON_APP_DIR }}/edx_ansible"
 edx_ansible_code_dir: "{{ edx_ansible_app_dir }}/edx_ansible"
 edx_ansible_data_dir: "{{ COMMON_DATA_DIR }}/edx_ansible"

playbooks/roles/edx_ansible/tasks/deploy.yml

 ---
 - name: git checkout edx_ansible repo into edx_ansible_code_dir
-  git: dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+  git: >
+    dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+    accept_hostkey=yes
   sudo_user: "{{ edx_ansible_user }}"
 
 - name : install edx_ansible venv requirements

playbooks/roles/edx_ansible/templates/update.j2

@@ -12,7 +12,7 @@ IFS=","
             -v        add verbosity to edx_ansible run
             -h        this
 
-    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, discern, edx-ora, configuration
+    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, edx-ora, configuration, read-only-certificate-code
     <version> - can be a commit or tag
 
 EO
@@ -43,12 +43,13 @@ edx_ansible_cmd="{{ edx_ansible_venv_bin }}/ansible-playbook -i localhost, -c lo
 
 repos_to_cmd["edx-platform"]="$edx_ansible_cmd edxapp.yml -e 'edx_platform_version=$2'"
 repos_to_cmd["xqueue"]="$edx_ansible_cmd xqueue.yml -e 'xqueue_version=$2'"
+repos_to_cmd["xserver"]="$edx_ansible_cmd xserver.yml -e 'xserver_version=$2'"
 repos_to_cmd["cs_comments_service"]="$edx_ansible_cmd forum.yml -e 'forum_version=$2'"
 repos_to_cmd["xserver"]="$edx_ansible_cmd forums.yml -e 'xserver_version=$2'"
 repos_to_cmd["ease"]="$edx_ansible_cmd discern.yml -e 'discern_ease_version=$2' && $edx_ansible_cmd ora.yml -e 'ora_ease_version=$2'"
-repos_to_cmd["discern"]="$edx_ansible_cmd discern.yml -e 'discern_version=$2'"
 repos_to_cmd["edx-ora"]="$edx_ansible_cmd ora.yml -e 'ora_version=$2'"
 repos_to_cmd["configuration"]="$edx_ansible_cmd edx_ansible.yml -e 'configuration_version=$2'"
+repos_to_cmd["read-only-certificate-code"]="$edx_ansible_cmd certs.yml -e 'certs_version=$2'"
 
 
 if [[ -z $1 || -z $2 ]]; then

playbooks/roles/edxapp/tasks/deploy.yml

@@ -28,7 +28,9 @@
 
 # Do A Checkout
 - name: checkout edx-platform repo into {{edxapp_code_dir}}
-  git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+  git: >
+    dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+    accept_hostkey=yes
   register: chkout
   sudo_user: "{{ edxapp_user }}"
   environment:
@@ -45,7 +47,9 @@
   - "restart edxapp_workers"
 
 - name: checkout theme
-  git: dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+  git: >
+    dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+    accept_hostkey=yes
   when: edxapp_theme_name != ''
   sudo_user: "{{ edxapp_user }}"
   environment:

playbooks/roles/edxapp/tasks/main.yml

@@ -19,6 +19,8 @@
   - "restart edxapp_workers"
   with_items:
     - "{{ edxapp_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ edxapp_app_dir }}/.ssh"
     - "{{ edxapp_data_dir }}"
     - "{{ edxapp_venvs_dir }}"
     - "{{ edxapp_theme_dir }}"

playbooks/roles/forum/tasks/deploy.yml

@@ -30,7 +30,9 @@
   notify: restart the forum service
 
 - name:  git checkout forum repo into {{ forum_code_dir }}
-  git: dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+  git: >
+    dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+    accept_hostkey=yes
   sudo_user: "{{ forum_user }}"
   notify: restart the forum service
 

playbooks/roles/jenkins_master/tasks/main.yml

@@ -84,7 +84,9 @@
 # upstream, we may be able to use the regular plugin install process.
 # Until then, we compile and install the forks ourselves.
 - name: checkout custom plugin repo
-  git: repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+  git: >
+    repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+    accept_hostkey=yes
   with_items: jenkins_custom_plugins
 
 - name: compile custom plugins

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2

+server {
+  listen {{ CERTS_NGINX_PORT }} default_server;
+
+  location / {
+    root {{ CERTS_WEB_ROOT }};
+    {% include "basic-auth.j2" %}
+    try_files $uri $uri/valid.html =404;
+  }
+}
+

playbooks/roles/notifier/tasks/deploy.yml

@@ -4,6 +4,7 @@
   git:
     dest={{ NOTIFIER_CODE_DIR }} repo={{ NOTIFIER_SOURCE_REPO }}
     version={{ NOTIFIER_VERSION }}
+    accept_hostkey=yes
   sudo: true
   sudo_user: "{{ NOTIFIER_USER }}"
   notify:

playbooks/roles/ora/tasks/deploy.yml

@@ -40,7 +40,9 @@
 
 # Do A Checkout
 - name: git checkout ora repo into {{ ora_app_dir }}
-  git: dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+  git: >
+    dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+    accept_hostkey=yes
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora

playbooks/roles/ora/tasks/ease.yml

 # Do A Checkout
 - name: git checkout ease repo into its base dir
-  git: dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+  git: >
+    dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+    accept_hostkey=yes
   sudo_user: "{{ ora_user }}"
   notify:
     - restart ora

playbooks/roles/rbenv/tasks/main.yml

@@ -53,6 +53,7 @@
   git: >
     repo=https://github.com/sstephenson/rbenv.git
     dest={{ rbenv_dir }}/.rbenv version={{ rbenv_version }}
+    accept_hostkey=yes
   sudo_user: "{{ rbenv_user }}"
 
 - name: ensure ruby_env exists
@@ -79,7 +80,9 @@
   when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)
 
 - name: clone ruby-build repo
-  git: repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+  git: >
+    repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+    accept_hostkey=yes
   when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)
   sudo_user: "{{ rbenv_user }}"
 

playbooks/roles/xqueue/tasks/deploy.yml

@@ -28,7 +28,9 @@
 
 # Do A Checkout
 - name: git checkout xqueue repo into xqueue_code_dir
-  git: dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+  git: >
+    dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+    accept_hostkey=yes
   sudo_user: "{{ xqueue_user }}"
   notify:
     - restart xqueue

playbooks/roles/xserver/tasks/deploy.yml

@@ -12,7 +12,9 @@
   when: not disable_edx_services
 
 - name: checkout code
-  git: dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+  git: >
+    dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+    accept_hostkey=yes
   sudo_user: "{{ xserver_user }}"
   notify: restart xserver
 
@@ -48,7 +50,9 @@
   notify: restart xserver
 
 - name: checkout grader code
-  git: dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+  git: >
+    dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+    accept_hostkey=yes
   environment:
     GIT_SSH: /tmp/git_ssh.sh
   notify: restart xserver

playbooks/roles/xserver/tasks/main.yml

@@ -32,6 +32,8 @@
     group="{{ common_web_group }}"
   with_items:
     - "{{ xserver_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ xserver_app_dir }}/.ssh"
     - "{{ xserver_venvs_dir }}"
     - "{{ xserver_data_dir }}"
     - "{{ xserver_data_dir }}/data"

playbooks/roles/xserver/templates/git_ssh.sh.j2

 #!/bin/sh
-exec /usr/bin/ssh -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"
+exec /usr/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"

playbooks/vagrant-devstack.yml

@@ -2,16 +2,6 @@
   hosts: all
   sudo: True
   gather_facts: True
-  vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    devstack: True
-    disable_edx_services: True
-    edx_platform_version: 'master'
-    mongo_enable_journal: False
-    EDXAPP_NO_PREREQ_INSTALL: 0
-    COMMON_MOTD_TEMPLATE: "devstack_motd.tail.j2"
-    COMMON_SSH_PASSWORD_AUTH: "yes"
   vars_files:
     - "group_vars/all"
   roles:

playbooks/vagrant-fullstack.yml

@@ -2,11 +2,6 @@
   hosts: all
   sudo: True
   gather_facts: True
-  vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    EDXAPP_LMS_NGINX_PORT: '80'
-    edx_platform_version: 'master'
   vars_files:
     - "group_vars/all"
   roles:
@@ -19,6 +14,7 @@
       - ora
       - forum
       - xqueue
+      - certs
       nginx_default_sites:
       - lms
       - cms
@@ -33,4 +29,5 @@
     - forum
     - { role: "xqueue", update_users: True }
     - ora
+    - certs
     - edx_ansible

requirements.txt

-ansible==1.4.4
-PyYAML==3.10
+ansible==1.5.4
+PyYAML==3.11
 Jinja2==2.7.2
-MarkupSafe==0.18
+MarkupSafe==0.21
 argparse==1.2.1
 boto==2.20.1
-ecdsa==0.10
-paramiko==1.12.0
+ecdsa==0.11
+paramiko==1.13.0
 pycrypto==2.6.1
 wsgiref==0.1.2
 docopt==0.6.1

util/jenkins/ansible-provision.sh

@@ -87,6 +87,8 @@ EDXAPP_PREVIEW_LMS_BASE: preview.${deploy_host}
 EDXAPP_LMS_BASE: ${deploy_host}
 EDXAPP_CMS_BASE: studio.${deploy_host}
 EDXAPP_SITE_NAME: ${deploy_host}
+CERTS_DOWNLOAD_URL: "http://${deploy_host}:18090"
+CERTS_VERIFY_URL: "http://${deploy_host}:18090"
 edx_platform_version: $edxapp_version
 forum_version: $forum_version
 xqueue_version: $xqueue_version
@@ -161,15 +163,15 @@ done
 # run non-deploy tasks for all roles
 if [[ $reconfigure == "true" || $server_type == "full_edx_installation_from_scratch" ]]; then
     cat $extra_vars_file
-    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --skip-tags deploy
+    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu 
 fi
 
-if [[ $server_type == "full_edx_installation" || $server_type == "full_edx_installation_from_scratch" ]]; then
+if [[ $server_type == "full_edx_installation" ]]; then
     # Run deploy tasks for the roles selected
     for i in $roles; do
         if [[ ${deploy[$i]} == "true" ]]; then
             cat $extra_vars_file
-            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy
+            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy -v
         fi
     done
 fi

vagrant/base/devstack/Vagrantfile

@@ -52,6 +52,21 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
   config.vm.provision :ansible do |ansible|
     ansible.playbook = "../../../playbooks/vagrant-devstack.yml"
-    ansible.verbose = "extra"
+    ansible.verbose = "vvvv"
+    # set extra-vars here instead of in the vagrant play so that
+    # they are written out to /edx/etc/server-vars.yml which can
+    # be used later when running ansible locally
+    ansible.extra_vars = {
+        migrate_db: 'yes',
+        openid_workaround: true,
+        devstack: true,
+        disable_edx_services: true,
+        edx_platform_version: 'master',
+        mongo_enable_journal: false,
+        EDXAPP_NO_PREREQ_INSTALL: 0,
+        COMMON_MOTD_TEMPLATE: 'devstack_motd.tail.j2',
+        COMMON_SSH_PASSWORD_AUTH: "yes",
+    }
+
   end
 end

vagrant/base/fullstack/Vagrantfile

@@ -7,7 +7,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.box     = "precise64"
   config.vm.box_url = "http://files.vagrantup.com/precise64.box"
   config.ssh.insert_key = true
-
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
   config.vm.network :private_network, ip: "192.168.33.10"
 
   config.vm.provider :virtualbox do |vb|
@@ -28,6 +28,19 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.provision :ansible do |ansible|
     # point Vagrant at the location of your playbook you want to run
     ansible.playbook = "../../../playbooks/vagrant-fullstack.yml"
-    ansible.verbose = "extra"
+    # set extra-vars here instead of in the vagrant play so that
+    # they are written out to /edx/etc/server-vars.yml which can
+    # be used later when running ansible locally
+    ansible.extra_vars = { 
+        ansible_ssh_user: 'vagrant',
+        migrate_db: 'yes',
+        openid_workaround: true,
+        edx_platform_version: 'master',
+        EDXAPP_LMS_NGINX_PORT: '80',
+        EDX_ANSIBLE_DUMP_VARS: true,
+        CERTS_DOWNLOAD_URL: 'http://192.168.33.10:18090',
+        CERTS_VERIFY_URL: 'http://192.168.33.10:18090',
+    }
+    ansible.verbose = "vvvv"
   end
 end