From 519cacbbb549525977cc5ed782c30ddcbfad83e3 Mon Sep 17 00:00:00 2001
From: rubenb <rubenb@verdnatura.es>
Date: Mon, 12 Feb 2024 10:44:48 +0100
Subject: [PATCH] rol and playbook secure grub

---
 linux-config-secure-grub.yaml               | 12 ++++++++++++
 roles/config-secure-grub/handlers/main.yaml |  4 ++++
 roles/config-secure-grub/tasks/main.yaml    | 13 +++++++++++++
 roles/config-secure-grub/vars/main.yaml     |  3 +++
 4 files changed, 32 insertions(+)
 create mode 100644 linux-config-secure-grub.yaml
 create mode 100644 roles/config-secure-grub/handlers/main.yaml
 create mode 100644 roles/config-secure-grub/tasks/main.yaml
 create mode 100644 roles/config-secure-grub/vars/main.yaml

diff --git a/linux-config-secure-grub.yaml b/linux-config-secure-grub.yaml
new file mode 100644
index 0000000..8f826d4
--- /dev/null
+++ b/linux-config-secure-grub.yaml
@@ -0,0 +1,12 @@
+---
+
+- hosts: '{{ ip_addr }}'
+  become: yes
+  become_method: sudo
+  gather_facts: yes
+
+  tasks:
+
+    - name: "[CONFIG SECURE GRUB] configure secure grub"
+      import_role:
+        name: config-secure-grub
diff --git a/roles/config-secure-grub/handlers/main.yaml b/roles/config-secure-grub/handlers/main.yaml
new file mode 100644
index 0000000..8a93e00
--- /dev/null
+++ b/roles/config-secure-grub/handlers/main.yaml
@@ -0,0 +1,4 @@
+---
+# update grub
+- name: grub register
+  command: update-grub
\ No newline at end of file
diff --git a/roles/config-secure-grub/tasks/main.yaml b/roles/config-secure-grub/tasks/main.yaml
new file mode 100644
index 0000000..07b1630
--- /dev/null
+++ b/roles/config-secure-grub/tasks/main.yaml
@@ -0,0 +1,13 @@
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+# Secure GRUB edition with password
+# paso1 - Proteger grub
+- name: GRUB password boot protection
+  blockinfile:
+    path: /etc/grub.d/40_custom
+    block: |
+      set superusers="{{ user_grub }}"
+      password_pbkdf2 {{ user_grub }} {{ code_grub }}
+  notify: grub register
+  tags: 
+  - grub-password
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/roles/config-secure-grub/vars/main.yaml b/roles/config-secure-grub/vars/main.yaml
new file mode 100644
index 0000000..52c9b80
--- /dev/null
+++ b/roles/config-secure-grub/vars/main.yaml
@@ -0,0 +1,3 @@
+---
+user_grub: admin
+code_grub: grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE2229139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA3857B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7