diff --git a/playbooks/debian-once.yml b/playbooks/debian-once.yml deleted file mode 100644 index 1a59ea0..0000000 --- a/playbooks/debian-once.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: First time host configuration - hosts: all - tasks: - - import_role: - name: debian-once diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index ca32537..82bcf2a 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,6 +1,5 @@ -vn_witness: false +vn_first_time: false default_user: user -root_password: Pa$$w0rd fail2ban: email: "{{ sysadmin_mail }}" bantime: 600 diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 4db5680..ccb64ce 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -1,5 +1,7 @@ - import_tasks: witness.yml tags: witness +- import_tasks: root.yml + tags: root - import_tasks: resolv.yml tags: resolv - import_tasks: timesync.yml diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml new file mode 100644 index 0000000..a1d4449 --- /dev/null +++ b/roles/debian-base/tasks/root.yml @@ -0,0 +1,36 @@ +- name: Generate root password + when: vn_first_time + block: + - name: Search root password into Passbolt + set_fact: + qst: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + ignore_errors: true +- name: Generate and save root password if not found in Passbolt + when: qst is not defined + block: + - name: Generate a random root password + set_fact: + root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" + - name: Save root password into Passbolt + set_fact: + msg: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + password=root_password, + uri='ssh://'+hostname_fqdn + ) + }} + environment: + PASSBOLT_CREATE_NEW_RESOURCE: true + - name: Change root password + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + diff --git a/roles/debian-base/tasks/ssh.yml b/roles/debian-base/tasks/ssh.yml index 7afa54a..943c79e 100644 --- a/roles/debian-base/tasks/ssh.yml +++ b/roles/debian-base/tasks/ssh.yml @@ -3,7 +3,7 @@ path: "/etc/ssh/ssh_host_{{ item.type }}_key" type: "{{ item.type }}" force: yes - when: vn_witness + when: vn_first_time loop: - { type: 'rsa' } - { type: 'ecdsa' } diff --git a/roles/debian-base/tasks/witness.yml b/roles/debian-base/tasks/witness.yml index 75e7179..b5e5dae 100644 --- a/roles/debian-base/tasks/witness.yml +++ b/roles/debian-base/tasks/witness.yml @@ -4,9 +4,9 @@ register: keys_generated_marker - name: Generate variable if not exists set_fact: - vn_witness: "{{ not keys_generated_marker.stat.exists }}" + vn_first_time: "{{ not keys_generated_marker.stat.exists }}" - name: Create marker file to indicate vn happends file: path: /etc/vn.witness state: touch - when: vn_witness + when: vn_first_time diff --git a/roles/debian-once/defaults/main.yaml b/roles/debian-once/defaults/main.yaml deleted file mode 100644 index a0671ab..0000000 --- a/roles/debian-once/defaults/main.yaml +++ /dev/null @@ -1 +0,0 @@ -root_password: Pa$$w0rd diff --git a/roles/debian-once/tasks/main.yml b/roles/debian-once/tasks/main.yml deleted file mode 100644 index e5da03c..0000000 --- a/roles/debian-once/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- import_tasks: root.yml - tags: root diff --git a/roles/debian-once/tasks/root.yml b/roles/debian-once/tasks/root.yml deleted file mode 100644 index ad021ca..0000000 --- a/roles/debian-once/tasks/root.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Generate a random root password - set_fact: - root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" -- name: Save root password into Passbolt - set_fact: - msg: > - {{ - lookup(passbolt, inventory_hostname_short, - username='root', - password=root_password, - uri='ssh://'+hostname_fqdn - ) - }} - environment: - PASSBOLT_CREATE_NEW_RESOURCE: true -- name: Save the root password to file - copy: - content: "{{ root_password }}\n" - dest: /root/root_password.txt - owner: root - group: root - mode: '0600' -- name: Change root password - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" diff --git a/roles/debian-qemu/defaults/main.yml b/roles/debian-qemu/defaults/main.yml index 05ae960..1319b37 100644 --- a/roles/debian-qemu/defaults/main.yml +++ b/roles/debian-qemu/defaults/main.yml @@ -1 +1,6 @@ homes_path: /mnt/homes +autofs_packages: + - nfs-common + - autofs + - libnfs-utils + - autofs-ldap diff --git a/roles/debian-qemu/tasks/autofs.yml b/roles/debian-qemu/tasks/autofs.yml index 8701228..b6688cf 100644 --- a/roles/debian-qemu/tasks/autofs.yml +++ b/roles/debian-qemu/tasks/autofs.yml @@ -1,12 +1,7 @@ - name: Install autofs packages apt: - name: "{{ item }}" + name: "{{ autofs_packages }}" state: present - with_items: - - nfs-common - - autofs - - libnfs-utils - - autofs-ldap - name: Create homes directory file: path: "{{ homes_path }}" @@ -33,6 +28,6 @@ mode: '0644' notify: restart-autofs - name: Service autofs service - service: + systemd: name: autofs enabled: yes \ No newline at end of file diff --git a/roles/debian-qemu/tasks/hotplug.yml b/roles/debian-qemu/tasks/hotplug.yml index fda87d5..ce51e64 100644 --- a/roles/debian-qemu/tasks/hotplug.yml +++ b/roles/debian-qemu/tasks/hotplug.yml @@ -12,5 +12,7 @@ mode: u=rw,g=r,o=r owner: root group: root + register: grub - name: Generate GRUB configuration command: update-grub + when: grub.changed