From 5f7041dfbffaedbe2995a4a2bc8f8dbc607644b7 Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Wed, 2 Oct 2024 13:20:37 +0200
Subject: [PATCH 1/2] refs #8025 Passbolt integration, README improved, ansible
 vault deleted, EE fixes

---
 .gitignore                |  4 ++-
 README.md                 | 67 ++++++++++++++++++++++++++++-----------
 context/Dockerfile        | 19 +++++++++--
 execution-environment.yml | 31 +++++++++++++++++-
 playbooks/debian.yml      |  1 -
 playbooks/passbolt.yml    |  5 ++-
 run-playbook.sh           | 13 ++++++++
 vault-playbook.sh         |  3 --
 vault.yml                 | 26 ---------------
 9 files changed, 112 insertions(+), 57 deletions(-)
 create mode 100755 run-playbook.sh
 delete mode 100755 vault-playbook.sh
 delete mode 100644 vault.yml

diff --git a/.gitignore b/.gitignore
index 6bea6c1..18cb88c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 .vscode/
-.vaultpass
+.vault-pass
+.vault.yml
+.passbolt.yml
 venv
 context/_build
diff --git a/README.md b/README.md
index 86bb730..daf9d4d 100644
--- a/README.md
+++ b/README.md
@@ -2,24 +2,30 @@
 
 Collection of Ansible playbooks used in the Verdnatura server farm.
 
-## Install Ansible
+## Setup Ansible
 
-Instal Ansible on Debian.
+Install Ansible on Debian.
 ```
 apt install ansible
 ```
 
-Install dependencies.
-```
-ansible-galaxy collection install -r collections/requirements.yml
-```
-
 Create Python virtual environment.
 ```
 python3 -m venv venv
 source venv/bin/activate
 pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
 pip install -r requirements.txt
+deactivate
+```
+
+Install dependencies.
+```
+ansible-galaxy collection install -r collections/requirements.yml
+```
+
+Before running any Ansible command, activate the Python virtual environment.
+```
+source venv/bin/activate
 ```
 
 ## Run playbook
@@ -27,30 +33,52 @@ pip install -r requirements.txt
 Before merging changes into protected branches, playbooks should be tested 
 locally to ensure they work properly.
 
-Launch playbook on the fly on a host not declared in the inventory.
+Run playbook on inventory host.
 ```
-ansible-playbook -i <ip_or_hostname>, [-t tag1,tag2] playbooks/test.yml
+ansible-playbook -i inventories/lab -l <host> [-t tag1,tag2...] playbooks/ping.yml
+```
+
+Run playbook on the fly on a host not declared in the inventory.
+```
+ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
 ```
 
 *Note the comma at the end of the hostname or IP.*
 
-## Manage vault
+## Manage secrets
 
-To manage Ansible vault place the password into *.vaultpass* file.
+Secrets can be managed by using Ansible vault or an external keystore, Passbolt 
+is used in this case. It is recommended to use an external keystore to avoid 
+publicly exposing the secrets, even if they are encrypted.
 
-View or edit the vault file.
+When running playbooks that use any of the keystores mentioned above, the 
+*run-playbook.sh* script can be used, it is an ovelay over the original 
+*ansible-playbook* command which injects the necessary parameters.
+
+### Ansible vault
+
+To manage Ansible vault place the encryption password into *.vault-pass* file.
+
+Manage the vault.
 ```
-ansible-vault {view,edit} --vault-pass-file .vaultpass vault.yml
+ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
 ```
 
-When running playbooks that use the vault the *vault-playbook.sh* script can 
-be used, it is ovelay over the original *ansible-playbook* command.
+> [!CAUTION]
+> The files used for the vault must only be used locally and 
+> under **no** circumstances can they be uploaded to the repository.
 
-## Create execution environment
+### Passbolt
+
+Add the necessary environment variables to the *.passbolt.yml* file:
+
+* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
+
+## Build execution environment for AWX
 
 Create an image with *ansible-builder* and upload it to registry.
 ```
-ansible-builder build --tag ansible-runner:vn1
+ansible-builder build --tag awx-ee:vn1
 ```
 
 ## Common playbooks
@@ -65,6 +93,7 @@ ansible-builder build --tag ansible-runner:vn1
 * https://docs.ansible.com/ansible/latest/reference_appendices/config.html
 * https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
 * https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
-* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
-* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/
+* https://ansible.readthedocs.io/projects/builder/en/latest/
 * https://www.ansible.com/blog/introduction-to-ansible-builder/
+* https://github.com/ansible/awx-ee/tree/devel
+* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
diff --git a/context/Dockerfile b/context/Dockerfile
index c94e222..e21f388 100644
--- a/context/Dockerfile
+++ b/context/Dockerfile
@@ -1,8 +1,10 @@
-ARG EE_BASE_IMAGE="quay.io/ansible/ansible-runner:latest"
-ARG PYCMD="/usr/bin/python3"
+ARG EE_BASE_IMAGE="quay.io/centos/centos:stream9"
+ARG PYCMD="/usr/bin/python3.12"
+ARG PYPKG="python3.12"
 ARG PKGMGR_PRESERVE_CACHE=""
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=""
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
+ARG ANSIBLE_INSTALL_REFS="ansible-core>=2.17.0 ansible-runner==2.4.0"
 ARG PKGMGR="/usr/bin/dnf"
 
 # Base build stage
@@ -11,22 +13,28 @@ USER root
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR
 
 COPY _build/scripts/ /output/scripts/
 COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
+RUN $PKGMGR install $PYPKG -y ; if [ -z $PKGMGR_PRESERVE_CACHE ]; then $PKGMGR clean all; fi
 RUN /output/scripts/pip_install $PYCMD
+RUN $PYCMD -m pip install --no-cache-dir $ANSIBLE_INSTALL_REFS
 
 # Galaxy build stage
 FROM base as galaxy
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR
 
 RUN /output/scripts/check_galaxy
@@ -43,9 +51,11 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /build
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR
 
 RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
@@ -53,7 +63,8 @@ RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
 COPY --from=galaxy /usr/share/ansible /usr/share/ansible
 
 COPY _build/requirements.txt requirements.txt
-RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
+COPY _build/bindep.txt bindep.txt
+RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
 RUN /output/scripts/assemble
 
 # Final build stage
@@ -61,9 +72,11 @@ FROM base as final
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 ARG EE_BASE_IMAGE
 ARG PYCMD
+ARG PYPKG
 ARG PKGMGR_PRESERVE_CACHE
 ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
 ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR
 
 RUN /output/scripts/check_ansible $PYCMD
diff --git a/execution-environment.yml b/execution-environment.yml
index f6977c8..92b260c 100644
--- a/execution-environment.yml
+++ b/execution-environment.yml
@@ -1,4 +1,33 @@
 version: 3
+images:
+  base_image:
+    name: quay.io/centos/centos:stream9
 dependencies:
-  galaxy: collections/requirements.yml
   python: requirements.txt
+  galaxy: collections/requirements.yml
+  python_interpreter:
+    package_system: python3.12
+    python_path: /usr/bin/python3.12
+  ansible_core:
+    package_pip: ansible-core>=2.17.0
+  ansible_runner:
+    package_pip: ansible-runner==2.4.0
+  system: |
+    git-core [platform:rpm]
+    python3.11-devel [platform:rpm compile]
+    libcurl-devel [platform:rpm compile]
+    krb5-devel [platform:rpm compile]
+    krb5-workstation [platform:rpm]
+    subversion [platform:rpm]
+    subversion [platform:dpkg]
+    git-lfs [platform:rpm]
+    sshpass [platform:rpm]
+    rsync [platform:rpm]
+    epel-release [platform:rpm]
+    unzip [platform:rpm]
+    podman-remote [platform:rpm]
+    cmake [platform:rpm compile]
+    gcc [platform:rpm compile]
+    gcc-c++ [platform:rpm compile]
+    make [platform:rpm compile]
+    openssl-devel [platform:rpm compile]
diff --git a/playbooks/debian.yml b/playbooks/debian.yml
index f1ef67f..ac68e94 100644
--- a/playbooks/debian.yml
+++ b/playbooks/debian.yml
@@ -1,6 +1,5 @@
 - name: Configure base Debian host
   hosts: all
-  vars_files: ../vault.yml
   tasks:
   - name: Configure virtual machine or host
     import_role:
diff --git a/playbooks/passbolt.yml b/playbooks/passbolt.yml
index 792e858..4412a1c 100644
--- a/playbooks/passbolt.yml
+++ b/playbooks/passbolt.yml
@@ -5,6 +5,5 @@
     passbolt: 'anatomicjc.passbolt.passbolt'
     passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
   tasks:
-  - name: Print password
-    debug:
-      msg: "Variable: {{ lookup(passbolt, 'test') }}"
+  - debug:
+      msg: "Password: {{ lookup(passbolt, 'test').password }}"
diff --git a/run-playbook.sh b/run-playbook.sh
new file mode 100755
index 0000000..825cac0
--- /dev/null
+++ b/run-playbook.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+EXTRA_ARGS=()
+
+if [ -f .passbolt.yml ]; then
+    EXTRA_ARGS+=("--extra-vars" "@.passbolt.yml")
+fi
+if [ -f .vaultpass ]; then
+    EXTRA_ARGS+=("--vault-password-file" ".vaultpass")
+fi
+
+export PYTHONPATH=./venv/lib/python3.12/site-packages/
+ansible-playbook ${EXTRA_ARGS[@]} $@
diff --git a/vault-playbook.sh b/vault-playbook.sh
deleted file mode 100755
index d7e1c89..0000000
--- a/vault-playbook.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-export PYTHONPATH=./venv/lib/python3.12/site-packages/
-ansible-playbook --vault-password-file .vaultpass $@
diff --git a/vault.yml b/vault.yml
deleted file mode 100644
index 25a562e..0000000
--- a/vault.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37396535616365346266643936343463336564303066356131363064633436353763343735666563
-3234623639383039393735346632636163623435313965660a363363386637666261626661336333
-39643436663965383239323435613339323766623630633430343465313038643235636666343938
-3531636532613661650a336631666138306166346363333534613436396565343161623838363132
-30643532636332356630306563336165663266663237326262336533363665653230393332623134
-63626333303134346435666231386361643137636132383236373937636235326132666230306362
-36363136653963366235626239656339663736393636663136656164393031323663623463393438
-63646635343462363332636531323634623930643737333430613666366335303362323764363533
-39336533366466633132383438633063616564623862366263376638323138623363656164343635
-64346437646435383137313162656237303436343839366261633935613735316166376466616635
-61616132626539656633353032663932653730633365633331313330323932653465656634383334
-64633634326462316164316130373334666365643936646634333032326465373131656161646234
-30376135613534303533326133383661353235343034356466333961396237373937353137373735
-32373633396438313133663839373663656139346163386336373265356265613038646633386334
-37353331373332373636346166333639343936633464663335653762386431376632613430363666
-66636139663662633861643733306238646335353664636265623464393163343462326239613662
-63633236326161643838353931646566323236326636376331663463333664636566666462303063
-31303436356164623234346362386633633633623230366366393839376239636533636564666663
-39663034373664663063656561306132383734646263656464626432633963396638363362396664
-37303038373038346536613235333237613435663632656334643334326232396336653035326162
-63663637306531373030643962386339393263653262363037626538386132353363663761363138
-62663532313862396339653364306533326639333139336636343762373038333838313762393431
-34386239303765653930306334393339383234303137346461633231353637326137353964613832
-61353035353539633334333337346665383937346566396438306465336337366661323435616133
-37643932306265633465643430636662653865313661663331316662303861356466

From 6bce31ab19da86bc43fa3c8b7c1ca65a8aa691f2 Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Wed, 2 Oct 2024 13:34:54 +0200
Subject: [PATCH 2/2] refs #8025 Fix: Get NSLCD password from Passbolt

---
 inventories/group_vars/all.yml          | 2 ++
 playbooks/passbolt.yml                  | 3 ---
 roles/debian-guest/templates/nslcd.conf | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml
index c53863f..d14f1d3 100644
--- a/inventories/group_vars/all.yml
+++ b/inventories/group_vars/all.yml
@@ -1,4 +1,6 @@
 ansible_host: "{{inventory_hostname_short}}.{{host_domain}}"
+passbolt: 'anatomicjc.passbolt.passbolt'
+passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
 sysadmin_mail: sysadmin@verdnatura.es
 sysadmin_group: sysadmin
 smtp_server: smtp.verdnatura.es
diff --git a/playbooks/passbolt.yml b/playbooks/passbolt.yml
index 4412a1c..698704a 100644
--- a/playbooks/passbolt.yml
+++ b/playbooks/passbolt.yml
@@ -1,9 +1,6 @@
 - name: Fetch passbolt password
   hosts: all
   gather_facts: no
-  vars:
-    passbolt: 'anatomicjc.passbolt.passbolt'
-    passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
   tasks:
   - debug:
       msg: "Password: {{ lookup(passbolt, 'test').password }}"
diff --git a/roles/debian-guest/templates/nslcd.conf b/roles/debian-guest/templates/nslcd.conf
index ba36843..a204607 100644
--- a/roles/debian-guest/templates/nslcd.conf
+++ b/roles/debian-guest/templates/nslcd.conf
@@ -8,7 +8,7 @@ idle_timelimit 60
 
 base {{ ldap_base }}
 binddn cn=nss,ou=admins,{{ ldap_base }}
-bindpw {{ nslcd_password }}
+bindpw {{ lookup(passbolt, 'nslcd').password }}
 pagesize 500
 
 filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }}))