refs #8025 Witness improved by using INI file

This commit is contained in:
Juan Ferrer 2024-10-21 07:56:39 +02:00
parent e9f52640ba
commit d53526bf9d
4 changed files with 59 additions and 32 deletions

View File

@ -1,4 +1,5 @@
vn_first_time: false vn_first_time: false
vn_witness_checked: false
default_user: user default_user: user
fail2ban: fail2ban:
email: "{{ sysadmin_mail }}" email: "{{ sysadmin_mail }}"

View File

@ -1,20 +1,27 @@
- name: Search root password in Passbolt - name: Set the root password changed witness variable
when: vn_first_time
ignore_errors: true
set_fact: set_fact:
pb_password: > root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}"
- when: vn_witness_checked and not root_pass_changed
block:
- name: Search root password in Passbolt
ignore_errors: true
no_log: true
set_fact:
passbolt_password: >
{{ {{
lookup(passbolt, inventory_hostname_short, lookup(passbolt, inventory_hostname_short,
username='root', username='root',
uri='ssh://'+hostname_fqdn uri='ssh://'+hostname_fqdn
) )
}} }}
- when: vn_first_time and pb_password is not defined - when: passbolt_password is not defined
block: block:
- name: Generate a random root password - name: Generate a random root password
no_log: true
set_fact: set_fact:
root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
- name: Save root password into Passbolt - name: Save root password into Passbolt
no_log: true
set_fact: set_fact:
msg: > msg: >
{{ {{
@ -30,4 +37,9 @@
user: user:
name: root name: root
password: "{{ root_password | password_hash('sha512') }}" password: "{{ root_password | password_hash('sha512') }}"
- name: Set root password generated witness
ini_file:
path: /etc/vn.ini
section: witness
option: root_pass_changed
value: true

View File

@ -1,20 +1,29 @@
- name: Generate SSH key pairs - name: Set the SSH keys generated witness variable
set_fact:
ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}"
- when: vn_witness_checked and not ssh_keys_generated
block:
- name: Generate SSH key pairs
openssh_keypair: openssh_keypair:
path: "/etc/ssh/ssh_host_{{ item.type }}_key" path: "/etc/ssh/ssh_host_{{ item.type }}_key"
type: "{{ item.type }}" type: "{{ item.type }}"
force: yes force: yes
when: vn_first_time
loop: loop:
- { type: 'rsa' } - { type: 'rsa' }
- { type: 'ecdsa' } - { type: 'ecdsa' }
- { type: 'ed25519' } - { type: 'ed25519' }
notify: restart sshd notify: restart sshd
- name: Set SSH keys generated witness
ini_file:
path: /etc/vn.ini
section: witness
option: ssh_keys_generated
value: true
- name: Configure sshd_config settings - name: Configure sshd_config settings
copy: copy:
dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
content: | content: |
# Do not edit this file! Ansible will overwrite it. # Do not edit this file! Ansible will overwrite it.
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
owner: root owner: root
group: root group: root

View File

@ -1,12 +1,17 @@
- name: Check if witness file exists - name: Check if witness INI file exists
stat: stat:
path: /etc/vn.witness path: /etc/vn.ini
register: witness_file register: witness_file
- name: Set the witness variable - name: Set witness related variables
set_fact: set_fact:
vn_first_time: "{{ not witness_file.stat.exists }}" vn_first_time: "{{ not witness_file.stat.exists }}"
- name: Create the witness file if it does not exist vn_witness_checked: true
file: - when: not vn_first_time
path: /etc/vn.witness block:
state: touch - name: Slurp witness INI file
when: vn_first_time slurp:
src: /etc/vn.ini
register: vn_ini_file
- name: Put witness as dictionary into variable
set_fact:
vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}"