# Added password protect to grub
# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution
# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates
- name: GRUB edit unrestricted option
  copy:
    src: 10_linux
    dest: /etc/grub.d/10_linux
    owner: root
    group: root
    checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49
    mode: u=rwx,g=rx,o=rx
  register: grubedit
- name: GRUB edit password protection
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      set superusers="{{ grub_user }}"
      password_pbkdf2 {{ grub_user }} {{ grub_code }}
    dest: /etc/grub.d/00_before
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  register: grubpass
- name: Change GRUB_TIMEOUT from 5 to 1
  copy:
    content: |
      GRUB_TIMEOUT=1
    dest: /etc/default/grub.d/timeout.cfg
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  register: grubtime  
- name: Generate GRUB configuration
  command: update-grub
  when: grubedit.changed or grubpass.changed or grubtime.changed