# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
- name: GRUB edit unrestricted option
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      # This file provides an easy way to add custom menu entries.  Simply type the
      # menu entries you want to add after this comment.  Be careful not to change
      # the 'exec tail' line above.
      menuentry_id_option="--unrestricted $menuentry_id_option"
    dest: /etc/grub.d/09_make_OS_entries_unrestricted
    owner: root
    group: root
    checksum: fed5c365f11a919b857b78207565cf341b86082b
    mode: u=rwx,g=rx,o=rx
  register: grubunrestricted
- name: Search grub password in Passbolt
  no_log: true
  set_fact:
    grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
- name: GRUB edit password protection
  copy:
    content: |
      #!/bin/sh
      exec tail -n +3 $0
      set superusers="{{ grub_user }}"
      password_pbkdf2 {{ grub_user }} {{ grub_code }}
    dest: /etc/grub.d/00_before
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  register: grubpass
- name: Change GRUB_TIMEOUT from 5 to 1
  copy:
    content: |
      GRUB_TIMEOUT=1
    dest: /etc/default/grub.d/timeout.cfg
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  register: grubtime  
- name: Generate GRUB configuration
  command: update-grub
  when: grubunrestricted.changed or grubpass.changed or grubtime.changed