Merge pull request 'refs #8025 Witness improved by using INI file' (!35) from 8025-witnessImprove into main

Reviewed-on: #35 Reviewed-by: Xavi Lleó <xavi@verdnatura.es>
2024-10-21 08:44:09 +00:00 · 2024-10-21 08:44:09 +00:00 · e17c76fb8d
parent e9f52640ba 69a5dc5862
commit e17c76fb8d
4 changed files with 58 additions and 33 deletions
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@ -1,4 +1,5 @@
 vn_first_time: false
 vn_witness_checked: false
 default_user: user
 fail2ban:
  email: "{{ sysadmin_mail }}"
--- a/roles/debian-base/tasks/root.yml
+++ b/roles/debian-base/tasks/root.yml
@ -1,16 +1,21 @@
- name: Search root password in Passbolt
+- name: Set the root password changed witness variable
  when: vn_first_time
  ignore_errors: true
  set_fact:
-    pb_password: >
+    root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}"
-      {{
+- when: vn_witness_checked and not root_pass_changed
-        lookup(passbolt, inventory_hostname_short,
+  no_log: true
-          username='root',
+  block:  
-          uri='ssh://'+hostname_fqdn
+  - name: Search root password in Passbolt
-        )
+    ignore_errors: true
-      }}
+    set_fact:
- when: vn_first_time and pb_password is not defined
+      passbolt_password: >
-  block:
+        {{
          lookup(passbolt, inventory_hostname_short,
            username='root',
            uri='ssh://'+hostname_fqdn
          )
        }}
  - when: passbolt_password is not defined
    block:
    - name: Generate a random root password
      set_fact:
        root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
@ -30,4 +35,9 @@
      user:
        name: root
        password: "{{ root_password | password_hash('sha512') }}"
-
+  - name: Set root password generated witness
    ini_file:
      path: /etc/vn.ini
      section: witness
      option: root_pass_changed
      value: true
--- a/roles/debian-base/tasks/ssh.yml
+++ b/roles/debian-base/tasks/ssh.yml
@ -1,20 +1,29 @@
- name: Generate SSH key pairs
+- name: Set the SSH keys generated witness variable
-  openssh_keypair:
+  set_fact:
-    path: "/etc/ssh/ssh_host_{{ item.type }}_key"
+    ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}"
-    type: "{{ item.type }}"
+- when: vn_witness_checked and not ssh_keys_generated
-    force: yes
+  block:
-  when: vn_first_time
+  - name: Generate SSH key pairs
-  loop:
+    openssh_keypair:
-    - { type: 'rsa' }
+      path: "/etc/ssh/ssh_host_{{ item.type }}_key"
-    - { type: 'ecdsa' }
+      type: "{{ item.type }}"
-    - { type: 'ed25519' }
+      force: yes
-  notify: restart sshd
+    loop:
      - { type: 'rsa' }
      - { type: 'ecdsa' }
      - { type: 'ed25519' }
    notify: restart sshd
  - name: Set SSH keys generated witness
    ini_file:
      path: /etc/vn.ini
      section: witness
      option: ssh_keys_generated
      value: true
 - name: Configure sshd_config settings
  copy:
    dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
    content: |
      # Do not edit this file! Ansible will overwrite it.
      ListenAddress 0.0.0.0
    owner: root
    group: root
--- a/roles/debian-base/tasks/witness.yml
+++ b/roles/debian-base/tasks/witness.yml
@ -1,12 +1,17 @@
- name: Check if witness file exists
+- name: Check if witness INI file exists
  stat:
-    path: /etc/vn.witness
+    path: /etc/vn.ini
  register: witness_file
- name: Set the witness variable
+- name: Set witness related variables
  set_fact:
    vn_first_time: "{{ not witness_file.stat.exists }}"
- name: Create the witness file if it does not exist
+    vn_witness_checked: true
-  file:
+- when: not vn_first_time
-    path: /etc/vn.witness
+  block:
-    state: touch
+  - name: Slurp witness INI file
-  when: vn_first_time
+    slurp:
      src: /etc/vn.ini
    register: vn_ini_file
  - name: Put witness as dictionary into variable
    set_fact:
      vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}"