mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-07-27 00:05:44 +02:00
Update to 2022-02-27 18:00
This commit is contained in:
Daniel Berteaud
@@ -1,49 +1,73 @@
|
||||
---
|
||||
|
||||
- name: Install tools
|
||||
package:
|
||||
name:
|
||||
- pwgen
|
||||
- openssl
|
||||
when: rand_pass_tools_installed is not defined or not rand_pass_tools_installed
|
||||
|
||||
# Mark tool sas installed so we do not check each time, as it can be slow
|
||||
- set_fact: rand_pass_tools_installed=True
|
||||
|
||||
# Check if a non encrypted file exists. We do it first for backward compatibility
|
||||
- name: Check if password file exists
|
||||
stat: path={{ pass_file }}
|
||||
register: pass_file_exists
|
||||
tags: always
|
||||
register: pass_file_clear
|
||||
|
||||
#- name: Check if a vault password file exists
|
||||
# stat: path={{ pass_file }}.vault
|
||||
# register: pass_file_vault_exists
|
||||
# tags: always
|
||||
#
|
||||
## Generate a pass and store it encrypted
|
||||
#- when: not pass_file_exists.stat.exists and not pass_file_vault_exists.stat.exists and encryption | default(True) and vault_encryption_key is defined
|
||||
# block:
|
||||
# - package: name=pwgen
|
||||
# - shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
|
||||
# register: rand_pass
|
||||
# # Now write this new pass
|
||||
# - copy: content={{ rand_pass.stdout | trim | vault(vault_encryption_key) }} dest={{ pass_file }}.vault mode=600
|
||||
# tags: always
|
||||
# Now check if an encrypted file exists
|
||||
- name: Check if an encrypted password file exists
|
||||
stat: path={{ pass_file }}.aes256
|
||||
register: pass_file_enc
|
||||
|
||||
# When no pass exist, create one
|
||||
- when: not pass_file_exists.stat.exists # and (not encryption or vault_encryption_key is not defined)
|
||||
# When no clear nor encrypted file exists, generate a random pass with pwgen
|
||||
- name: Generate a random password
|
||||
shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
|
||||
register: rand_pass
|
||||
when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists
|
||||
|
||||
# New pass generation ? Encrypt it with openssl, unless encryption is disabled, or the global rand_pass_encryption_key isn't defined
|
||||
- when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
|
||||
block:
|
||||
- package: name=pwgen
|
||||
- shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
|
||||
register: rand_pass
|
||||
# Now write this new pass
|
||||
- copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600
|
||||
tags: always
|
||||
- name: Encrypt the generated password
|
||||
shell: openssl enc -e -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
|
||||
args:
|
||||
stdin: "{{ rand_pass.stdout }}"
|
||||
register: encrypted_rand_pass
|
||||
- copy: content={{ encrypted_rand_pass.stdout | trim }} dest={{ pass_file }}.aes256 mode=600
|
||||
|
||||
# New pass generation but with encryption disabled, or the global rand_pass_encryption_key not defined
|
||||
# in this case, store the password as plain text
|
||||
- name: Store the generated password as clear text
|
||||
copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600
|
||||
when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and (not encryption | default(True) or rand_pass_encryption_key is not defined)
|
||||
|
||||
# Read the encrypted pass
|
||||
#- when: not pass_file_exists.stat.exists and encryption | default(True) and vault_encryption_key is defined
|
||||
# block:
|
||||
# - name: Read the password
|
||||
# slurp: src={{ pass_file }}.vault
|
||||
# register: rand_pass
|
||||
# - set_fact: rand_pass={{ rand_pass.content | b64decode | trim | unvault(vault_encryption_key) }}
|
||||
# tags: always
|
||||
- when: not pass_file_clear.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
|
||||
block:
|
||||
|
||||
# Read unencrypted pass file (compat)
|
||||
- block:
|
||||
- name: Read the password
|
||||
slurp: src={{ pass_file }}
|
||||
- name: Read the encrypted password
|
||||
slurp: src={{ pass_file }}.aes256
|
||||
register: rand_pass
|
||||
- set_fact: rand_pass={{ rand_pass.content | b64decode | trim }}
|
||||
tags: always
|
||||
|
||||
- name: Decrypt the password
|
||||
shell: openssl enc -d -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
|
||||
args:
|
||||
stdin: "{{ rand_pass.content | b64decode | trim }}"
|
||||
register: rand_pass_decrypted
|
||||
changed_when: False
|
||||
|
||||
# Read unencrypted pass file
|
||||
- when: not encryption | default(True) or rand_pass_encryption_key is not defined or pass_file_clear.stat.exists
|
||||
block:
|
||||
- name: Read the clear text password
|
||||
slurp: src={{ pass_file }}
|
||||
register: rand_pass_clear
|
||||
|
||||
# Now set either the decrypted, or the clear text pass in the rand_pass variable which will be used by the caller
|
||||
- set_fact:
|
||||
rand_pass: >-
|
||||
{%- if (rand_pass_decrypted is defined and rand_pass_decrypted.stdout is defined) -%}{{ rand_pass_decrypted.stdout }}
|
||||
{%- elif rand_pass_clear is defined and rand_pass_clear.content is defined -%}{{ rand_pass_clear.content | b64decode | trim }}
|
||||
{%- else -%}{%- endif -%}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user