diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 82bcf2a..2ea9091 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,4 +1,5 @@ vn_first_time: false +vn_witness_checked: false default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index af90446..eccf51d 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -1,16 +1,21 @@ -- name: Search root password in Passbolt - when: vn_first_time - ignore_errors: true +- name: Set the root password changed witness variable set_fact: - pb_password: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - uri='ssh://'+hostname_fqdn - ) - }} -- when: vn_first_time and pb_password is not defined - block: + root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" +- when: vn_witness_checked and not root_pass_changed + no_log: true + block: + - name: Search root password in Passbolt + ignore_errors: true + set_fact: + passbolt_password: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + - when: passbolt_password is not defined + block: - name: Generate a random root password set_fact: root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" @@ -30,4 +35,9 @@ user: name: root password: "{{ root_password | password_hash('sha512') }}" - + - name: Set root password generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: root_pass_changed + value: true diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 943c79e..580eeea 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -1,20 +1,29 @@ -- name: Generate SSH key pairs - openssh_keypair: - path: "/etc/ssh/ssh_host_{{ item.type }}_key" - type: "{{ item.type }}" - force: yes - when: vn_first_time - loop: - - { type: 'rsa' } - - { type: 'ecdsa' } - - { type: 'ed25519' } - notify: restart sshd +- name: Set the SSH keys generated witness variable + set_fact: + ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}" +- when: vn_witness_checked and not ssh_keys_generated + block: + - name: Generate SSH key pairs + openssh_keypair: + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + notify: restart sshd + - name: Set SSH keys generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: ssh_keys_generated + value: true - name: Configure sshd_config settings copy: dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf content: | # Do not edit this file! Ansible will overwrite it. - ListenAddress 0.0.0.0 owner: root group: root diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml index 9c50ccd..32fb644 100644 --- a/roles/debian-base/tasks/witness.yml +++ b/roles/debian-base/tasks/witness.yml @@ -1,12 +1,17 @@ -- name: Check if witness file exists +- name: Check if witness INI file exists stat: - path: /etc/vn.witness + path: /etc/vn.ini register: witness_file -- name: Set the witness variable +- name: Set witness related variables set_fact: vn_first_time: "{{ not witness_file.stat.exists }}" -- name: Create the witness file if it does not exist - file: - path: /etc/vn.witness - state: touch - when: vn_first_time + vn_witness_checked: true +- when: not vn_first_time + block: + - name: Slurp witness INI file + slurp: + src: /etc/vn.ini + register: vn_ini_file + - name: Put witness as dictionary into variable + set_fact: + vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}"