2024-10-21 08:44:09 +00:00
4 changed files with 58 additions and 33 deletions
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@ -1,4 +1,5 @@
 vn_first_time: false
+vn_witness_checked: false
 default_user: user
 fail2ban:
  email: "{{ sysadmin_mail }}"
--- a/roles/debian-base/tasks/root.yml
+++ b/roles/debian-base/tasks/root.yml
@ -1,16 +1,21 @@
- name: Search root password in Passbolt
-  when: vn_first_time
-  ignore_errors: true
+- name: Set the root password changed witness variable
  set_fact:
-    pb_password: >
-      {{
-        lookup(passbolt, inventory_hostname_short,
-          username='root',
-          uri='ssh://'+hostname_fqdn
-        )
-      }}
- when: vn_first_time and pb_password is not defined
-  block:
+    root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}"
+- when: vn_witness_checked and not root_pass_changed
+  no_log: true
+  block:  
+  - name: Search root password in Passbolt
+    ignore_errors: true
+    set_fact:
+      passbolt_password: >
+        {{
+          lookup(passbolt, inventory_hostname_short,
+            username='root',
+            uri='ssh://'+hostname_fqdn
+          )
+        }}
+  - when: passbolt_password is not defined
+    block:
    - name: Generate a random root password
      set_fact:
        root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
@ -30,4 +35,9 @@
      user:
        name: root
        password: "{{ root_password | password_hash('sha512') }}"
-
+  - name: Set root password generated witness
+    ini_file:
+      path: /etc/vn.ini
+      section: witness
+      option: root_pass_changed
+      value: true
--- a/roles/debian-base/tasks/ssh.yml
+++ b/roles/debian-base/tasks/ssh.yml
@ -1,20 +1,29 @@
- name: Generate SSH key pairs
-  openssh_keypair:
-    path: "/etc/ssh/ssh_host_{{ item.type }}_key"
-    type: "{{ item.type }}"
-    force: yes
-  when: vn_first_time
-  loop:
-    - { type: 'rsa' }
-    - { type: 'ecdsa' }
-    - { type: 'ed25519' }
-  notify: restart sshd
+- name: Set the SSH keys generated witness variable
+  set_fact:
+    ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}"
+- when: vn_witness_checked and not ssh_keys_generated
+  block:
+  - name: Generate SSH key pairs
+    openssh_keypair:
+      path: "/etc/ssh/ssh_host_{{ item.type }}_key"
+      type: "{{ item.type }}"
+      force: yes
+    loop:
+      - { type: 'rsa' }
+      - { type: 'ecdsa' }
+      - { type: 'ed25519' }
+    notify: restart sshd
+  - name: Set SSH keys generated witness
+    ini_file:
+      path: /etc/vn.ini
+      section: witness
+      option: ssh_keys_generated
+      value: true
 - name: Configure sshd_config settings
  copy:
    dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
    content: |
      # Do not edit this file! Ansible will overwrite it.
-
      ListenAddress 0.0.0.0
    owner: root
    group: root
--- a/roles/debian-base/tasks/witness.yml
+++ b/roles/debian-base/tasks/witness.yml
@ -1,12 +1,17 @@
- name: Check if witness file exists
+- name: Check if witness INI file exists
  stat:
-    path: /etc/vn.witness
+    path: /etc/vn.ini
  register: witness_file
- name: Set the witness variable
+- name: Set witness related variables
  set_fact:
    vn_first_time: "{{ not witness_file.stat.exists }}"
- name: Create the witness file if it does not exist
-  file:
-    path: /etc/vn.witness
-    state: touch
-  when: vn_first_time
+    vn_witness_checked: true
+- when: not vn_first_time
+  block:
+  - name: Slurp witness INI file
+    slurp:
+      src: /etc/vn.ini
+    register: vn_ini_file
+  - name: Put witness as dictionary into variable
+    set_fact:
+      vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}"