quico-ansible/role-common-local_os_password
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: quico-ansible:v0.2.0
Branches Tags
quico-ansible:main quico-ansible:dev
quico-ansible:1.0.0 quico-ansible:v0.2.0 quico-ansible:v0.1.0
...
compare: quico-ansible:8126c26ec39172cdee617c8490bc888a39fb2418
Branches Tags
quico-ansible:main quico-ansible:dev
quico-ansible:1.0.0 quico-ansible:v0.2.0 quico-ansible:v0.1.0

2 Commits
v0.2.0 ... 8126c26ec3

Author SHA1 Message Date
hygienic-books
8126c26ec3 feat(meta): Trim role content 2025-04-10 02:21:42 +02:00
hygienic-books
4341ba9bc6 fix(meta): Remove JetBrains files from repo 2025-04-10 02:21:02 +02:00
8 changed files with 46 additions and 78 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -1,3 +1 @@
# ---> Ansible .idea
*.retry

17
CHANGELOG.md
View File

@@ -1,17 +0,0 @@
# Change log
Current version: 0.2.0
<!--next-version-placeholder-->
## v0.2.0 (2022-07-24)
### Feature
* **role:** Set and document defaults to make this ready to use out of the box ([`f3042db`](https://quico.space/quico-ansible/role_common_local-os-password/commit/f3042dbf7e69a9009524f2a4f06203a2a5342cf4))
## v0.1.0 (2022-07-24)
### Feature
* **role:** Introduce Semantic Versioning a changelog ([`a84a113`](https://quico.space/quico-ansible/role_common_local-os-password/commit/a84a113ef749dc7c543f1b3995efe0e4194f7832))
* **role:** Initial commit ([`dc9b87b`](https://quico.space/quico-ansible/role_common_local-os-password/commit/dc9b87ba880b58004201199f559b950ada939555))
### Fix
* **role:** Import dependency via 'git+https' protocol ([`8a1aa01`](https://quico.space/quico-ansible/role_common_local-os-password/commit/8a1aa0175efa6acf40f2c85dac45375adf0e92e1))

39
README.md
View File

@@ -1,22 +1,33 @@
# role_common_local-os-password [//]: # (SPDX-License-Identifier: MIT)
# Role Name
An Ansible role to change an operating system's local user password role-common-local_os_password
# Defaults # Description
Change an operating system's local user password.
# Requirements
Your target machines must be Linux.
# Role Variables
This role requires variables defined in [defaults/main.yml](defaults/main.yml). Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a `group_vars` or `host_vars` file. This role requires variables defined in [defaults/main.yml](defaults/main.yml). Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a `group_vars` or `host_vars` file.
* `fqdn_reverse`: A variable that contains the reversed fully qualified domain name for each host. For `fully.qualified.domain.name` this variable will equal `name.domain.qualified.fully`. Consider this a suggestion for how to set up your HashiCorp Vault `kv` secrets hierarchy. - `fqdn_reverse`: A variable that contains the reversed fully qualified domain name for each host. For `fully.qualified.domain.name` this variable will equal `name/domain/qualified/fully` which we then use in our HashiCorp Vault path to retrieve a password and password salt per host and per user.
- `reset_password_for_account`: A list of usernames whose password we want changed. This defaults to:
```
reset_password_for_account:
- 'build'
- 'root'
```
* `local_os_password_vault_vars`: The variables you want extracted from your Vault instance, by default `['password', 'password_salt']` which contain the new password to set for the local account and a salt, respectively. # Dependencies
* `local_os_password_vault_base`: The base path where all of `local_os_password_vault_vars` are located in Vault. None.
* `local_os_password_vault_paths`: The product of both `local_os_password_vault_base` and `local_os_password_vault_vars` stored in a dictionary. This is what the role uses in its `vault_kv2_get` lookup. # Example Playbook
* `reset_password_for_account`: The account for which you'd like to change its local account password, defaults to `root`.
# Use it
In your `playbook.yml` call it like so: In your `playbook.yml` call it like so:
@@ -24,5 +35,9 @@ In your `playbook.yml` call it like so:
- name: 'Awesome playbook' - name: 'Awesome playbook'
hosts: all hosts: all
roles: roles:
- 'role_common_local-os-password' - 'role-common-local_os_password'
``` ```
# License
MIT

9
defaults/main.yml
View File

@@ -1,6 +1,5 @@
# role_common_local-os-password # SPDX-License-Identifier: MIT
fqdn_reverse: '{{ inventory_hostname | split(".") | reverse | join("/") }}' fqdn_reverse: '{{ inventory_hostname | split(".") | reverse | join("/") }}'
local_os_password_vault_vars: ['password', 'password_salt'] reset_password_for_account:
local_os_password_vault_base: '{{ fqdn_reverse }}/os/{{ reset_password_for_account }}' - 'build'
local_os_password_vault_paths: '{{ [local_os_password_vault_base + ''/''] | product(local_os_password_vault_vars) | map(''join'') | list }}' - 'root'
reset_password_for_account: 'root'

14
meta/main.yml
View File

@@ -1,14 +1,10 @@
# SPDX-License-Identifier: MIT
galaxy_info: galaxy_info:
author: 'hygienic-books' author: 'hygienic-books'
description: 'An Ansible role to change an operating system''s local user password' description: 'Change an operating system''s local user password'
issue_tracker_url: 'https://quico.space/quico-ansible/role_common_local-os-password/issues' license: MIT
license: 'MIT' min_ansible_version: 2.18.1
min_ansible_version: '2.12.6'
platforms:
- name: 'EL'
versions:
- '7'
- '8'
galaxy_tags: galaxy_tags:
- 'os'
- 'password' - 'password'
dependencies: [] dependencies: []

2
meta/requirements.yml
View File

@@ -1,2 +0,0 @@
- src: 'git+https://quico.space/quico-ansible/role_include_vault-check.git'
version: 'master'

38
tasks/40-local-os-password.yml
View File

@@ -1,33 +1,11 @@
- name: 'Get secrets' # SPDX-License-Identifier: MIT
no_log: 'true'
loop_control:
loop_var: 'server'
with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
ansible.builtin.set_fact:
vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'
- name: 'If a secret is missing: Fail progress'
import_role:
name: 'role_include_vault-check'
vars:
- vault_check_base_path: '{{ local_os_password_vault_base }}'
- vault_check_inc_vault_data: '{{ vault_data }}'
- vault_check_fail_checks: '{{ local_os_password_vault_vars }}'
- name: 'Set fact: New OS local account password'
no_log: 'true'
ansible.builtin.set_fact:
os_acc_pwd: '{{ vault_data.password }}'
os_acc_salt: '{{ vault_data.password_salt }}'
- name: 'Set local OS account password' - name: 'Set local OS account password'
loop_control:
loop_var: 'account'
index_var: 'i'
label: 'Set password for local account ''{{ account }}'''
loop: '{{ reset_password_for_account }}'
ansible.builtin.user: ansible.builtin.user:
name: '{{ reset_password_for_account }}' name: '{{ account }}'
password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}' password: '{{ lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password'') | string | password_hash(''sha512'', lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password_salt'')) }}'
update_password: 'always' update_password: 'always'

1
tasks/main.yml
View File

@@ -1 +1,2 @@
# SPDX-License-Identifier: MIT
- import_tasks: '40-local-os-password.yml' - import_tasks: '40-local-os-password.yml'