From d53526bf9dd60c8290ade27c3fbd25fa0cb7a6b7 Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Mon, 21 Oct 2024 07:56:39 +0200 Subject: [PATCH 1/2] refs #8025 Witness improved by using INI file --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/tasks/root.yml | 36 ++++++++++++++++++---------- roles/debian-base/tasks/ssh.yml | 33 +++++++++++++++---------- roles/debian-base/tasks/witness.yml | 21 +++++++++------- 4 files changed, 59 insertions(+), 32 deletions(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 82bcf2a..2ea9091 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,4 +1,5 @@ vn_first_time: false +vn_witness_checked: false default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index af90446..8cf1595 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -1,20 +1,27 @@ -- name: Search root password in Passbolt - when: vn_first_time - ignore_errors: true +- name: Set the root password changed witness variable set_fact: - pb_password: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - uri='ssh://'+hostname_fqdn - ) - }} -- when: vn_first_time and pb_password is not defined + root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" +- when: vn_witness_checked and not root_pass_changed block: + - name: Search root password in Passbolt + ignore_errors: true + no_log: true + set_fact: + passbolt_password: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + - when: passbolt_password is not defined + block: - name: Generate a random root password + no_log: true set_fact: root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" - name: Save root password into Passbolt + no_log: true set_fact: msg: > {{ @@ -30,4 +37,9 @@ user: name: root password: "{{ root_password | password_hash('sha512') }}" - + - name: Set root password generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: root_pass_changed + value: true diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 943c79e..580eeea 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -1,20 +1,29 @@ -- name: Generate SSH key pairs - openssh_keypair: - path: "/etc/ssh/ssh_host_{{ item.type }}_key" - type: "{{ item.type }}" - force: yes - when: vn_first_time - loop: - - { type: 'rsa' } - - { type: 'ecdsa' } - - { type: 'ed25519' } - notify: restart sshd +- name: Set the SSH keys generated witness variable + set_fact: + ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}" +- when: vn_witness_checked and not ssh_keys_generated + block: + - name: Generate SSH key pairs + openssh_keypair: + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + notify: restart sshd + - name: Set SSH keys generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: ssh_keys_generated + value: true - name: Configure sshd_config settings copy: dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf content: | # Do not edit this file! Ansible will overwrite it. - ListenAddress 0.0.0.0 owner: root group: root diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml index 9c50ccd..32fb644 100644 --- a/roles/debian-base/tasks/witness.yml +++ b/roles/debian-base/tasks/witness.yml @@ -1,12 +1,17 @@ -- name: Check if witness file exists +- name: Check if witness INI file exists stat: - path: /etc/vn.witness + path: /etc/vn.ini register: witness_file -- name: Set the witness variable +- name: Set witness related variables set_fact: vn_first_time: "{{ not witness_file.stat.exists }}" -- name: Create the witness file if it does not exist - file: - path: /etc/vn.witness - state: touch - when: vn_first_time + vn_witness_checked: true +- when: not vn_first_time + block: + - name: Slurp witness INI file + slurp: + src: /etc/vn.ini + register: vn_ini_file + - name: Put witness as dictionary into variable + set_fact: + vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}" From 69a5dc586287d71a774cbec9b088b81c4dec0c1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 21 Oct 2024 10:40:42 +0200 Subject: [PATCH 2/2] Refs #8025: Rol Debian-base - task root - No log true in block --- roles/debian-base/tasks/root.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml index 8cf1595..eccf51d 100644 --- a/roles/debian-base/tasks/root.yml +++ b/roles/debian-base/tasks/root.yml @@ -2,10 +2,10 @@ set_fact: root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" - when: vn_witness_checked and not root_pass_changed - block: + no_log: true + block: - name: Search root password in Passbolt ignore_errors: true - no_log: true set_fact: passbolt_password: > {{ @@ -17,11 +17,9 @@ - when: passbolt_password is not defined block: - name: Generate a random root password - no_log: true set_fact: root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" - name: Save root password into Passbolt - no_log: true set_fact: msg: > {{