From 593663bf151d9132807152e53f9ec0adb60863cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 25 Oct 2024 12:47:30 +0200
Subject: [PATCH] Refs #8025: Refactor-awx - rol Debian-base - Task
 grub_startup. Refactoring grub.cfg passbolt query to retrive grub user
 password

---
 roles/debian-base/tasks/grub_startup.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml
index 97968a4..a47d03c 100644
--- a/roles/debian-base/tasks/grub_startup.yml
+++ b/roles/debian-base/tasks/grub_startup.yml
@@ -1,9 +1,9 @@
-# Added password protection to restrict only GRUB editing, leaving menu entries unprotected.
-# Added --unrestricted option to 09_make_OS_entries_unrestricted custom template.
-# Oficial grub Manual -->> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
-# Questions -->> http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
-# Questions -->> https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
-# Resolution -->> https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
+# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
+# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
+# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
+# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
+# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
+# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
 - name: GRUB edit unrestricted option
   copy:
     content: |
@@ -19,6 +19,9 @@
     checksum: fed5c365f11a919b857b78207565cf341b86082b
     mode: u=rwx,g=rx,o=rx
   register: grubunrestricted
+- name: Search grub password in Passbolt
+  set_fact:
+    grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
 - name: GRUB edit password protection
   copy:
     content: |