verdnatura/vn-ansible
verdnatura
/
vn-ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refs #8025: Refactor-awx - rol Debian-base - Task grub_startup. Refactoring grub.cfg generation with new 09_custom_file for unrestricted menu entry selection

This commit is contained in:
Xavi Lleó 2024-10-25 12:01:14 +02:00
parent 4f7d7b7d45
commit d22e1e0ea3
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
roles/debian-base/tasks/grub_startup.yml
View File

@ -1,17 +1,24 @@
# Added password protect to grub
# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution
# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
# Added password protection to restrict only GRUB editing, leaving menu entries unprotected.
# Added --unrestricted option to 09_make_OS_entries_unrestricted custom template.
# Oficial grub Manual -->> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# Questions -->> http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# Questions -->> https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
# Resolution -->> https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
- name: GRUB edit unrestricted option
copy:
src: 10_linux
dest: /etc/grub.d/10_linux
content: |
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry_id_option="--unrestricted $menuentry_id_option"
dest: /etc/grub.d/09_make_OS_entries_unrestricted
owner: root
group: root
checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49
checksum: fed5c365f11a919b857b78207565cf341b86082b
mode: u=rwx,g=rx,o=rx
register: grubedit
register: grubunrestricted
- name: GRUB edit password protection
copy:
content: |
@ -35,4 +42,4 @@
register: grubtime
- name: Generate GRUB configuration
command: update-grub
when: grubedit.changed or grubpass.changed or grubtime.changed
when: grubunrestricted.changed or grubpass.changed or grubtime.changed