mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-16 02:03:09 +02:00
74 lines
3.1 KiB
YAML
74 lines
3.1 KiB
YAML
---
|
|
|
|
- name: Install tools
|
|
package:
|
|
name:
|
|
- pwgen
|
|
- openssl
|
|
when: rand_pass_tools_installed is not defined or not rand_pass_tools_installed
|
|
|
|
# Mark tool sas installed so we do not check each time, as it can be slow
|
|
- set_fact: rand_pass_tools_installed=True
|
|
|
|
# Check if a non encrypted file exists. We do it first for backward compatibility
|
|
- name: Check if password file exists
|
|
stat: path={{ pass_file }}
|
|
register: pass_file_clear
|
|
|
|
# Now check if an encrypted file exists
|
|
- name: Check if an encrypted password file exists
|
|
stat: path={{ pass_file }}.aes256
|
|
register: pass_file_enc
|
|
|
|
# When no clear nor encrypted file exists, generate a random pass with pwgen
|
|
- name: Generate a random password
|
|
shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
|
|
register: rand_pass
|
|
when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists
|
|
|
|
# New pass generation ? Encrypt it with openssl, unless encryption is disabled, or the global rand_pass_encryption_key isn't defined
|
|
- when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
|
|
block:
|
|
- name: Encrypt the generated password
|
|
shell: openssl enc -e -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
|
|
args:
|
|
stdin: "{{ rand_pass.stdout }}"
|
|
register: encrypted_rand_pass
|
|
- copy: content={{ encrypted_rand_pass.stdout | trim }} dest={{ pass_file }}.aes256 mode=600
|
|
|
|
# New pass generation but with encryption disabled, or the global rand_pass_encryption_key not defined
|
|
# in this case, store the password as plain text
|
|
- name: Store the generated password as clear text
|
|
copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600
|
|
when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and (not encryption | default(True) or rand_pass_encryption_key is not defined)
|
|
|
|
# Read the encrypted pass
|
|
- when: not pass_file_clear.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
|
|
block:
|
|
|
|
- name: Read the encrypted password
|
|
slurp: src={{ pass_file }}.aes256
|
|
register: rand_pass
|
|
|
|
- name: Decrypt the password
|
|
shell: openssl enc -d -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
|
|
args:
|
|
stdin: "{{ rand_pass.content | b64decode | trim }}"
|
|
register: rand_pass_decrypted
|
|
changed_when: False
|
|
|
|
# Read unencrypted pass file
|
|
- when: not encryption | default(True) or rand_pass_encryption_key is not defined or pass_file_clear.stat.exists
|
|
block:
|
|
- name: Read the clear text password
|
|
slurp: src={{ pass_file }}
|
|
register: rand_pass_clear
|
|
|
|
# Now set either the decrypted, or the clear text pass in the rand_pass variable which will be used by the caller
|
|
- set_fact:
|
|
rand_pass: >-
|
|
{%- if (rand_pass_decrypted is defined and rand_pass_decrypted.stdout is defined) -%}{{ rand_pass_decrypted.stdout }}
|
|
{%- elif rand_pass_clear is defined and rand_pass_clear.content is defined -%}{{ rand_pass_clear.content | b64decode | trim }}
|
|
{%- else -%}{%- endif -%}
|
|
|