From 83110e0dca2abece867cbc39e3a919ea387ec4f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 13:18:45 +0200 Subject: [PATCH 1/6] Refs #8025 Rol debian-base. root task - Move task from debian-once. Removed debian-once role. Added witness control to task ssh flow. --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/tasks/main.yml | 2 ++ roles/{debian-once => debian-base}/tasks/root.yml | 4 ++++ roles/debian-once/defaults/main.yaml | 1 - roles/debian-once/tasks/main.yml | 2 -- 5 files changed, 7 insertions(+), 3 deletions(-) rename roles/{debian-once => debian-base}/tasks/root.yml (90%) delete mode 100644 roles/debian-once/defaults/main.yaml delete mode 100644 roles/debian-once/tasks/main.yml diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index ca32537..0a92987 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,3 +1,4 @@ +root_password: Pa$$w0rd vn_witness: false default_user: user root_password: Pa$$w0rd diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 4db5680..ccb64ce 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,5 +1,7 @@ - import_tasks: witness.yml tags: witness +- import_tasks: root.yml + tags: root - import_tasks: resolv.yml tags: resolv - import_tasks: timesync.yml diff --git a/roles/debian-once/tasks/root.yml b/roles/debian-base/tasks/root.yml similarity index 90% rename from roles/debian-once/tasks/root.yml rename to roles/debian-base/tasks/root.yml index ad021ca..b00d8f2 100644 --- a/roles/debian-once/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -13,6 +13,7 @@ }} environment: PASSBOLT_CREATE_NEW_RESOURCE: true + when: vn_witness - name: Save the root password to file copy: content: "{{ root_password }}\n" @@ -20,7 +21,10 @@ owner: root group: root mode: '0600' + when: vn_witness + register: local - name: Change root password user: name: root password: "{{ root_password | password_hash('sha512') }}" + when: local.changed diff --git a/roles/debian-once/defaults/main.yaml b/roles/debian-once/defaults/main.yaml deleted file mode 100644 index a0671ab..0000000 --- a/roles/debian-once/defaults/main.yaml +++ /dev/null @@ -1 +0,0 @@ -root_password: Pa$$w0rd diff --git a/roles/debian-once/tasks/main.yml b/roles/debian-once/tasks/main.yml deleted file mode 100644 index e5da03c..0000000 --- a/roles/debian-once/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- import_tasks: root.yml - tags: root From df4a8570c61540746ba53ad73b972f2a9cd27ac0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 14:19:53 +0200 Subject: [PATCH 2/6] Refs #8025: Role debian-qemu. Added autofs and hotplug tasks. Grouped packages to avoid using with_items in autofs installation. Added condition to ensure idempotent changes in GRUB --- roles/debian-qemu/defaults/main.yml | 5 +++++ roles/debian-qemu/tasks/autofs.yml | 9 ++------- roles/debian-qemu/tasks/hotplug.yml | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/debian-qemu/defaults/main.yml b/roles/debian-qemu/defaults/main.yml index 05ae960..1319b37 100644 --- a/roles/debian-qemu/defaults/main.yml +++ b/roles/debian-qemu/defaults/main.yml @@ -1 +1,6 @@ homes_path: /mnt/homes +autofs_packages: + - nfs-common + - autofs + - libnfs-utils + - autofs-ldap diff --git a/roles/debian-qemu/tasks/autofs.yml b/roles/debian-qemu/tasks/autofs.yml index 8701228..b6688cf 100644 --- a/roles/debian-qemu/tasks/autofs.yml +++ b/roles/debian-qemu/tasks/autofs.yml @@ -1,12 +1,7 @@ - name: Install autofs packages apt: - name: "{{ item }}" + name: "{{ autofs_packages }}" state: present - with_items: - - nfs-common - - autofs - - libnfs-utils - - autofs-ldap - name: Create homes directory file: path: "{{ homes_path }}" @@ -33,6 +28,6 @@ mode: '0644' notify: restart-autofs - name: Service autofs service - service: + systemd: name: autofs enabled: yes \ No newline at end of file diff --git a/roles/debian-qemu/tasks/hotplug.yml b/roles/debian-qemu/tasks/hotplug.yml index fda87d5..ce51e64 100644 --- a/roles/debian-qemu/tasks/hotplug.yml +++ b/roles/debian-qemu/tasks/hotplug.yml @@ -12,5 +12,7 @@ mode: u=rw,g=r,o=r owner: root group: root + register: grub - name: Generate GRUB configuration command: update-grub + when: grub.changed From 3bdadb131953d848fa30492d1e1da9effac91b8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 16:29:38 +0200 Subject: [PATCH 3/6] Refs #8025: Role debian-base. root task. Final fricky things, Galactus mode control passbolt excecptions. --- roles/debian-base/defaults/main.yaml | 2 - roles/debian-base/tasks/root.yml | 64 +++++++++++++++------------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 0a92987..9ab7a53 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,7 +1,5 @@ -root_password: Pa$$w0rd vn_witness: false default_user: user -root_password: Pa$$w0rd fail2ban: email: "{{ sysadmin_mail }}" bantime: 600 diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index b00d8f2..0f4ce1d 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -1,30 +1,36 @@ -- name: Generate a random root password - set_fact: - root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" -- name: Save root password into Passbolt - set_fact: - msg: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - password=root_password, - uri='ssh://'+hostname_fqdn - ) - }} - environment: - PASSBOLT_CREATE_NEW_RESOURCE: true +- name: Generate root password when: vn_witness -- name: Save the root password to file - copy: - content: "{{ root_password }}\n" - dest: /root/root_password.txt - owner: root - group: root - mode: '0600' - when: vn_witness - register: local -- name: Change root password - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" - when: local.changed + block: + - name: Search root password into Passbolt + set_fact: + qst: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + ignore_errors: true +- name: Generate and save root password if not found in Passbolt + when: qst is not defined + block: + - name: Generate a random root password + set_fact: + root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" + - name: Save root password into Passbolt + set_fact: + msg: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + password=root_password, + uri='ssh://'+hostname_fqdn + ) + }} + environment: + PASSBOLT_CREATE_NEW_RESOURCE: true + - name: Change root password + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + From ea761203e72ae30e0d9d938bdd408e267adee1f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 16:30:42 +0200 Subject: [PATCH 4/6] Refs #8025: Role debian-base. Remove debian-once.yaml --- playbooks/debian-once.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 playbooks/debian-once.yml diff --git a/playbooks/debian-once.yml b/playbooks/debian-once.yml deleted file mode 100644 index 1a59ea0..0000000 --- a/playbooks/debian-once.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: First time host configuration - hosts: all - tasks: - - import_role: - name: debian-once From 513d7d4378aa241b6a86d09679978925f9b87bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 16:36:38 +0200 Subject: [PATCH 5/6] Refs #8025: Role debian-base. Change vn_no_witness --- roles/debian-base/defaults/main.yaml | 2 +- roles/debian-base/tasks/root.yml | 2 +- roles/debian-base/tasks/ssh.yml | 2 +- roles/debian-base/tasks/witness.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 9ab7a53..e20ded9 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,4 +1,4 @@ -vn_witness: false +vn_no_witness: false default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index 0f4ce1d..96d504c 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -1,5 +1,5 @@ - name: Generate root password - when: vn_witness + when: vn_no_witness block: - name: Search root password into Passbolt set_fact: diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 7afa54a..33a3a34 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -3,7 +3,7 @@ path: "/etc/ssh/ssh_host_{{ item.type }}_key" type: "{{ item.type }}" force: yes - when: vn_witness + when: vn_no_witness loop: - { type: 'rsa' } - { type: 'ecdsa' } diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml index 75e7179..ebeaddf 100644 --- a/roles/debian-base/tasks/witness.yml +++ b/roles/debian-base/tasks/witness.yml @@ -4,9 +4,9 @@ register: keys_generated_marker - name: Generate variable if not exists set_fact: - vn_witness: "{{ not keys_generated_marker.stat.exists }}" + vn_no_witness: "{{ not keys_generated_marker.stat.exists }}" - name: Create marker file to indicate vn happends file: path: /etc/vn.witness state: touch - when: vn_witness + when: vn_no_witness From 5e6b7ab7ba399df36a0b0349d4c547d1dd4dd01c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 17 Oct 2024 16:38:52 +0200 Subject: [PATCH 6/6] Refs #8025: Role debian-base. Change vn_no_witness for vn_fisrt_time --- roles/debian-base/defaults/main.yaml | 2 +- roles/debian-base/tasks/root.yml | 2 +- roles/debian-base/tasks/ssh.yml | 2 +- roles/debian-base/tasks/witness.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index e20ded9..82bcf2a 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,4 +1,4 @@ -vn_no_witness: false +vn_first_time: false default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index 96d504c..a1d4449 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -1,5 +1,5 @@ - name: Generate root password - when: vn_no_witness + when: vn_first_time block: - name: Search root password into Passbolt set_fact: diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 33a3a34..943c79e 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -3,7 +3,7 @@ path: "/etc/ssh/ssh_host_{{ item.type }}_key" type: "{{ item.type }}" force: yes - when: vn_no_witness + when: vn_first_time loop: - { type: 'rsa' } - { type: 'ecdsa' } diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml index ebeaddf..b5e5dae 100644 --- a/roles/debian-base/tasks/witness.yml +++ b/roles/debian-base/tasks/witness.yml @@ -4,9 +4,9 @@ register: keys_generated_marker - name: Generate variable if not exists set_fact: - vn_no_witness: "{{ not keys_generated_marker.stat.exists }}" + vn_first_time: "{{ not keys_generated_marker.stat.exists }}" - name: Create marker file to indicate vn happends file: path: /etc/vn.witness state: touch - when: vn_no_witness + when: vn_first_time