vn-ansible/roles/debian-base/tasks/grub_startup.yml

# Added password protect to grub
# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution
# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
- name: GRUB edit unrestricted option
  copy:
    src: 10_linux
    dest: /etc/grub.d/10_linux
    owner: root
    group: root
    checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49
    mode: u=rwx,g=rx,o=rx
  register: grubedit
- name: GRUB edit password protection
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      set superusers="{{ grub_user }}"
      password_pbkdf2 {{ grub_user }} {{ grub_code }}
    dest: /etc/grub.d/00_before
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  register: grubpass
- name: Change GRUB_TIMEOUT from 5 to 1
  copy:
    content: |
      GRUB_TIMEOUT=1
    dest: /etc/default/grub.d/timeout.cfg
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  register: grubtime  
- name: Generate GRUB configuration
  command: update-grub
  when: grubedit.changed or grubpass.changed or grubtime.changed
Refs #8025: Refactor-awx - rol Debian-base - New task grub_startup. Added password to edit and timeout to 1. Default Linux continues boot normally 2024-10-24 14:38:14 +00:00			`# Added password protect to grub`
			`# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution`
			`# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html`
			`# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html`
			`# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates`
			`- name: GRUB edit unrestricted option`
			`copy:`
			`src: 10_linux`
			`dest: /etc/grub.d/10_linux`
			`owner: root`
			`group: root`
			`checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49`
			`mode: u=rwx,g=rx,o=rx`
			`register: grubedit`
			`- name: GRUB edit password protection`
			`copy:`
			`content: \|`
			`#!/bin/sh`
			`exec tail -n +3 $0`
			`set superusers="{{ grub_user }}"`
			`password_pbkdf2 {{ grub_user }} {{ grub_code }}`
			`dest: /etc/grub.d/00_before`
			`owner: root`
			`group: root`
			`mode: u=rwx,g=rx,o=rx`
			`register: grubpass`
			`- name: Change GRUB_TIMEOUT from 5 to 1`
			`copy:`
			`content: \|`
			`GRUB_TIMEOUT=1`
			`dest: /etc/default/grub.d/timeout.cfg`
			`owner: root`
			`group: root`
			`mode: u=rw,g=r,o=r`
			`register: grubtime`
			`- name: Generate GRUB configuration`
			`command: update-grub`
			`when: grubedit.changed or grubpass.changed or grubtime.changed`