I'd like to deploy my webserver config with copy.
Is there any way to keep the SSL cert private key encrypted, and to decrypt it when the playbook is started?
The reason is that I want to to use Github's private repositories. But the file will still be in the cloud and one click away from exposure.
Have a look at Ansible Vault.
Is short, it's a way to store encrypted YAML files, which can be decrypted directly by Ansible.
You then would run ansible with
--ask-vault-pass: