Newer versions of ansible no longer require a single top-level temporary
directory per user, as each run creates its own. Combined with the weird
random failures on *dc0.pyrocufflink.blue* that prevent Jenkins from
using Ansible occasionally, it's better to just let Ansible create its
own temporary directory directly in `/var/tmp` and clean up after itself
when it finishes.
Apparently, the `vault_password_file` setting in `ansible.cfg` overrides
the `--vault-password-file` command-line argument, which breaks the
Jenkins `ansiblePlaybook` task.
Many hosts (should) have `/tmp` mounted with the `noexec` flag, which
prevents Ansible modules written there from running. To work around
this, the `remote_tmp` configuration option should be set to a path
under `/var/tmp`, which is not mounted noexec.
Encrypting the vault password with GPG protects the key when stored on
disk and allows it to be accessed non-interactively, as long as the
GnuPG agent is set up correctly.
Dustin