From bd310a73dfc106173f6f1f8ddc34fe14ef3cec37 Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Mon, 7 Oct 2024 18:39:47 +0200
Subject: [PATCH] refs #8025 Create passbolt password, FQDN fix

---
 inventories/group_vars/all.yml          |  4 +++-
 inventories/lab                         |  1 +
 inventories/servers                     |  1 +
 playbooks/passbolt.yml                  | 17 +++++++++++++++--
 requirements.txt                        |  1 +
 roles/debian-guest/templates/nslcd.conf |  2 +-
 roles/debian-host/tasks/hostname.yml    |  2 +-
 roles/debian-once/tasks/root.yml        | 20 ++++++++++++++++++--
 8 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml
index d14f1d3..c3a7d52 100644
--- a/inventories/group_vars/all.yml
+++ b/inventories/group_vars/all.yml
@@ -1,4 +1,5 @@
-ansible_host: "{{inventory_hostname_short}}.{{host_domain}}"
+hostname_fqdn: "{{inventory_hostname_short}}.{{host_domain}}"
+ansible_host: "{{hostname_fqdn}}"
 passbolt: 'anatomicjc.passbolt.passbolt'
 passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
 sysadmin_mail: sysadmin@verdnatura.es
@@ -20,3 +21,4 @@ awx_pub_key: >
   ssh-ed25519 
   AAAAC3NzaC1lZDI1NTE5AAAAIKzAwWm+IsqZCgMzjdZ7Do3xWtVtoUCpWJpH7KSi2a/H 
   awx@verdnatura.es
+pb_folder: e0d517be-6783-4b97-9742-acaa9b09742f
diff --git a/inventories/lab b/inventories/lab
index 1bcf480..df9bc90 100644
--- a/inventories/lab
+++ b/inventories/lab
@@ -1,5 +1,6 @@
 [all:vars]
 host_domain=lab.verdnatura.es
+pb_servers_folder=7007ba58-99a5-44f9-8808-8160137ce232
 
 [cephlab]
 cephlab[01:03]
diff --git a/inventories/servers b/inventories/servers
index c8fe2ad..83642c0 100644
--- a/inventories/servers
+++ b/inventories/servers
@@ -1,5 +1,6 @@
 [all:vars]
 host_domain=servers.dc.verdnatura.es
+pb_servers_folder=fe08b909-ee3c-4257-b0b4-e088b16ca379
 
 [kube_master]
 kube-master[1:5]
diff --git a/playbooks/passbolt.yml b/playbooks/passbolt.yml
index 698704a..0c5e72b 100644
--- a/playbooks/passbolt.yml
+++ b/playbooks/passbolt.yml
@@ -1,6 +1,19 @@
-- name: Fetch passbolt password
+- name: Fetch or create passbolt password
   hosts: all
   gather_facts: no
   tasks:
   - debug:
-      msg: "Password: {{ lookup(passbolt, 'test').password }}"
+      msg: >
+        {{
+          lookup(passbolt, 'test',
+            username='root',
+            password=pb_password,
+            folder_parent_id=pb_folder
+          )
+        }}
+    vars:
+      pb_password: 'S3cR3tP4$$w0rd'
+    environment:
+      PASSBOLT_CREATE_NEW_RESOURCE: true
+      PASSBOLT_NEW_RESOURCE_PASSWORD_LENGTH: 18
+      PASSBOLT_NEW_RESOURCE_PASSWORD_SPECIAL_CHARS: false
diff --git a/requirements.txt b/requirements.txt
index c0ee91b..a0e207b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
 py-passbolt==0.0.18
 cryptography==3.3.2
+passlib==1.7.4
diff --git a/roles/debian-guest/templates/nslcd.conf b/roles/debian-guest/templates/nslcd.conf
index a204607..3f635fe 100644
--- a/roles/debian-guest/templates/nslcd.conf
+++ b/roles/debian-guest/templates/nslcd.conf
@@ -8,7 +8,7 @@ idle_timelimit 60
 
 base {{ ldap_base }}
 binddn cn=nss,ou=admins,{{ ldap_base }}
-bindpw {{ lookup(passbolt, 'nslcd').password }}
+bindpw {{ lookup(passbolt, 'nslcd', folder_parent_id=pb_folder).password }}
 pagesize 500
 
 filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }}))
diff --git a/roles/debian-host/tasks/hostname.yml b/roles/debian-host/tasks/hostname.yml
index 799a81f..56522d6 100644
--- a/roles/debian-host/tasks/hostname.yml
+++ b/roles/debian-host/tasks/hostname.yml
@@ -9,4 +9,4 @@
     marker_end: '--- END VN ---'
     marker: "# {mark}"
     block: |
-      {{ ansible_default_ipv4.address }} {{ ansible_host }} {{ inventory_hostname_short }}
+      {{ ansible_default_ipv4.address }} {{hostname_fqdn}} {{ inventory_hostname_short }}
diff --git a/roles/debian-once/tasks/root.yml b/roles/debian-once/tasks/root.yml
index 654b2b4..373ea64 100644
--- a/roles/debian-once/tasks/root.yml
+++ b/roles/debian-once/tasks/root.yml
@@ -1,13 +1,29 @@
 - name: Generate a random root password
   set_fact:
-    root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
-- name: Save the root password to a file
+    root_password: >
+      {{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}
+- name: Save root password into Passbolt
+  debug:
+    msg: >
+      {{
+        lookup(passbolt, inventory_hostname_short,
+          username='root',
+          password=root_password,
+          uri='ssh://'+hostname_fqdn,
+          folder_parent_id=pb_servers_folder
+        )
+      }}
+  environment:
+    PASSBOLT_CREATE_NEW_RESOURCE: true
+  when: pb_folder is defined
+- name: Save the root password to file
   copy:
     content: "{{ root_password }}\n"
     dest: /root/root_password.txt
     owner: root
     group: root
     mode: '0600'
+  when: pb_folder is not defined
 - name: Change root password
   user:
     name: root