Merge pull request '8025-Configure_grub_startup_machine' (!39) from 8025-Configure_grub_startup_machine into main

Reviewed-on: #39 Reviewed-by: Juan Ferrer <juan@verdnatura.es>
2024-10-25 11:46:23 +00:00 · 2024-10-25 11:46:23 +00:00 · 2aacafb8b9
parent e103e29b96 0e39fe57c2
commit 2aacafb8b9
6 changed files with 51 additions and 10 deletions
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@ -1,5 +1,6 @@
 vn_first_time: false
 vn_witness_checked: false
 grub_user: admin
 default_user: user
 fail2ban:
  email: "{{ sysadmin_mail }}"
--- a/roles/debian-base/tasks/grub_startup.yml
+++ b/roles/debian-base/tasks/grub_startup.yml
@ -0,0 +1,48 @@
 # Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
 # Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
 # Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
 # Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
 # Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
 # To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
 - name: GRUB edit unrestricted option
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      # This file provides an easy way to add custom menu entries.  Simply type the
      # menu entries you want to add after this comment.  Be careful not to change
      # the 'exec tail' line above.
      menuentry_id_option="--unrestricted $menuentry_id_option"
    dest: /etc/grub.d/09_make_OS_entries_unrestricted
    owner: root
    group: root
    checksum: fed5c365f11a919b857b78207565cf341b86082b
    mode: u=rwx,g=rx,o=rx
  register: grubunrestricted
 - name: Search grub password in Passbolt
  set_fact:
    grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
 - name: GRUB edit password protection
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      set superusers="{{ grub_user }}"
      password_pbkdf2 {{ grub_user }} {{ grub_code }}
    dest: /etc/grub.d/00_before
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  register: grubpass
 - name: Change GRUB_TIMEOUT from 5 to 1
  copy:
    content: |
      GRUB_TIMEOUT=1
    dest: /etc/default/grub.d/timeout.cfg
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  register: grubtime  
 - name: Generate GRUB configuration
  command: update-grub
  when: grubunrestricted.changed or grubpass.changed or grubtime.changed
--- a/roles/debian-base/tasks/main.yml
+++ b/roles/debian-base/tasks/main.yml
@ -32,3 +32,5 @@
  tags: bacula
 - import_tasks: vn-repo.yml
  tags: vn-repo
 - import_tasks: grub_startup.yml
  tags: grub_startup
--- a/roles/secure-grub/handlers/main.yml
+++ b/roles/secure-grub/handlers/main.yml
@ -1,2 +0,0 @@
 - name: grub-register
  command: update-grub
--- a/roles/secure-grub/tasks/main.yml
+++ b/roles/secure-grub/tasks/main.yml
@ -1,7 +0,0 @@
 - name: GRUB boot password protection
  blockinfile:
    path: /etc/grub.d/40_custom
    block: |
      set superusers="{{ grub_user }}"
      password_pbkdf2 {{ grub_user }} {{ grub_code }}
  notify: grub-register
--- a/roles/secure-grub/vars/main.yaml
+++ b/roles/secure-grub/vars/main.yaml
@ -1 +0,0 @@
 grub_user: admin
		`@ -1,2 +0,0 @@`
			`- name: grub-register`
			`command: update-grub`