From d22e1e0ea376fe0d5f951a63da625e7fcee8307c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 25 Oct 2024 12:01:14 +0200
Subject: [PATCH] Refs #8025: Refactor-awx - rol Debian-base - Task
 grub_startup. Refactoring grub.cfg generation with new 09_custom_file for
 unrestricted menu entry selection

---
 roles/debian-base/tasks/grub_startup.yml | 27 +++++++++++++++---------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml
index ae44e49..97968a4 100644
--- a/roles/debian-base/tasks/grub_startup.yml
+++ b/roles/debian-base/tasks/grub_startup.yml
@@ -1,17 +1,24 @@
-# Added password protect to grub
-# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution
-# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
-# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
-# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
+# Added password protection to restrict only GRUB editing, leaving menu entries unprotected.
+# Added --unrestricted option to 09_make_OS_entries_unrestricted custom template.
+# Oficial grub Manual -->> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
+# Questions -->> http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
+# Questions -->> https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
+# Resolution -->> https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
 - name: GRUB edit unrestricted option
   copy:
-    src: 10_linux
-    dest: /etc/grub.d/10_linux
+    content: |
+      #!/bin/sh
+      exec tail -n +3 $0
+      # This file provides an easy way to add custom menu entries.  Simply type the
+      # menu entries you want to add after this comment.  Be careful not to change
+      # the 'exec tail' line above.
+      menuentry_id_option="--unrestricted $menuentry_id_option"
+    dest: /etc/grub.d/09_make_OS_entries_unrestricted
     owner: root
     group: root
-    checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49
+    checksum: fed5c365f11a919b857b78207565cf341b86082b
     mode: u=rwx,g=rx,o=rx
-  register: grubedit
+  register: grubunrestricted
 - name: GRUB edit password protection
   copy:
     content: |
@@ -35,4 +42,4 @@
   register: grubtime  
 - name: Generate GRUB configuration
   command: update-grub
-  when: grubedit.changed or grubpass.changed or grubtime.changed
+  when: grubunrestricted.changed or grubpass.changed or grubtime.changed