vn-ansible/roles/debian-base/tasks/grub_startup.yml

50 lines
1.9 KiB
YAML

# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
- name: GRUB edit unrestricted option
copy:
content: |
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry_id_option="--unrestricted $menuentry_id_option"
dest: /etc/grub.d/09_make_OS_entries_unrestricted
owner: root
group: root
checksum: fed5c365f11a919b857b78207565cf341b86082b
mode: u=rwx,g=rx,o=rx
register: grubunrestricted
- name: Search grub password in Passbolt
no_log: true
set_fact:
grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
- name: GRUB edit password protection
copy:
content: |
#!/bin/sh
exec tail -n +3 $0
set superusers="{{ grub_user }}"
password_pbkdf2 {{ grub_user }} {{ grub_code }}
dest: /etc/grub.d/00_before
owner: root
group: root
mode: u=rwx,g=rx,o=rx
register: grubpass
- name: Change GRUB_TIMEOUT from 5 to 1
copy:
content: |
GRUB_TIMEOUT=1
dest: /etc/default/grub.d/timeout.cfg
owner: root
group: root
mode: u=rw,g=r,o=r
register: grubtime
- name: Generate GRUB configuration
command: update-grub
when: grubunrestricted.changed or grubpass.changed or grubtime.changed