ci: zabbix: Use multiple sudo-pass files

The `zabbix.yml` playbook applies to hosts that are not members of the
*pyrocufflink.blue* domain, and thus have different passwords for
`sudo`. Using the `-e` argument to `ansible-playbook` and specifying a
single Vault-encrypted file that defines the `ansible_become_password`
variable effectively forces Ansible to try to use that password on every
host. This is because variables defined on the command line, or read
from a file specified on the command line, have the highest precedence.

To use different passwords on different hosts, the normal variable
scoping rules have to be used. To that end, one `sudo-pass` file is
created in the `group_vars/pyrocufflink` directory, so it will apply to
all machines that are members of the *pyrocufflink.blue* domain.
Additionally, another `sudo-pass` file is created in the `host_vars/gw0`
directory; it will only apply to the gateway device.

ci/zabbix.jenkinsfile

@@ -17,14 +17,23 @@ pipeline {
                         variable: 'KEYTAB')]) {
                     sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
                 }
+                withCredentials([file(
+                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
+                        variable: 'SUDO_PASS_FILE'
+                )]) {
+                    sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
+                }
+                withCredentials([file(
+                        credentialsId: 'vault-jenkins@gw0',
+                        variable: 'SUDO_PASS_FILE'
+                )]) {
+                    sh 'cp -f "${SUDO_PASS_FILE}" host_vars/gw0/sudo-pass'
+                }
             }
         }
 
         stage('Remount R/W') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
                 ansiblePlaybook \
                     playbook: 'remount.yml',
                     limit: 'zabbix',
@@ -32,38 +41,27 @@ pipeline {
                     vaultCredentialsId: 'ansible-vault',
                     extraVars: [
                         remount_state: 'rw',
-                        ],
-                        extras: '-e@"${SUDO_PASS_FILE}"'
-                }
+                    ]
             }
         }
 
         stage('Zabbix') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
                 ansiblePlaybook \
                     playbook: 'zabbix.yml',
                     become: true,
                     vaultCredentialsId: 'ansible-vault',
-                        extras: '-e@"${SUDO_PASS_FILE}" --diff'
-                }
+                    extras: '--diff'
             }
         }
 
         stage('Remount R/O') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
                 ansiblePlaybook \
                     playbook: 'remount.yml',
                     limit: 'zabbix',
                     become: true,
-                        vaultCredentialsId: 'ansible-vault',
-                        extras: '-e@"${SUDO_PASS_FILE}"'
-                }
+                    vaultCredentialsId: 'ansible-vault'
             }
         }
 
@@ -72,6 +70,7 @@ pipeline {
     post {
         always {
             sh 'kdestroy'
+            sh 'find . -name sudo-pass -delete'
         }
         failure {
             emailext \