ghp/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pwgen: rewrite checks and passwords generation

Browse Source
This commit is contained in:
ace 2025-05-23 13:05:03 +03:00
parent e67b5702d5
commit 74ae2c4694
Signed by: ace
GPG Key ID: F7EC00FB2C3118AD
7 changed files with 246 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
roles/pwgen/tasks/dkim.yaml
View File

@ -1,47 +1,36 @@
- name: Test if DKIM private key exists - name: Generate DKIM keys
shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
register: dkim_private_key_test_grep block:
- name: Create DKIM keys
docker_container:
name: ddclient
image: "{{ docker_registry }}/pwgen"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
register: dkim_container_output
- name: Test if DKIM public key exists - name: Set dkim_keys
shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true set_fact:
register: dkim_public_key_test_grep dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
- name: Create DKIM keys - name: Show DKIM private key
docker_container: debug:
name: ddclient msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
image: "{{ docker_registry }}/pwgen" verbosity: 2
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
register: dkim_container_output
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
- name: Set ddclient_key - name: Show DKIM public key
set_fact: debug:
dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}" msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0' verbosity: 2
- name: Show DKIM private key - name: Write DKIM private key
debug: lineinfile:
msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
when: dkim_private_key_test_grep.stdout == '0'
- name: Show DKIM public key - name: Write DKIM public key
debug: lineinfile:
msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
when: dkim_public_key_test_grep.stdout == '0'
- name: Write DKIM private key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
when: dkim_private_key_test_grep.stdout == '0'
- name: Write DKIM public key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
when: dkim_public_key_test_grep.stdout == '0'

72
roles/pwgen/tasks/htpasswd.yaml
View File

@ -1,46 +1,36 @@
- name: Test if password exists in file for {{ item.name }} - name: Generate htpasswd for {{ item.name }}
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
register: password_test_grep block:
- name: Create password for {{ item.name }}
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
register: password
- name: Test if password htpasswd hash exists in file for {{ item.name }} - name: Show password json for {{ item.name }}
shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true debug:
register: htpasswd_hash_test_grep msg: "{{ password }}"
verbosity: 2
- name: Create password for {{ item.name }} - name: Create bcrypt hash from password for {{ item.name }}
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;" docker_container:
register: password name: slappasswd
when: password_test_grep.stdout == '0' image: "{{ docker_registry }}/pwgen"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
register: docker_container_output
- name: Show password json for {{ item.name }} - name: Show docker_container_output for {{ item.name }}
debug: debug:
msg: "{{ password }}" msg: "{{ docker_container_output }}"
verbosity: 2 verbosity: 2
when: password_test_grep.stdout == '0'
- name: Create bcrypt hash from password for {{ item.name }} - name: Write password for {{ item.name }}
docker_container: lineinfile:
name: slappasswd path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
image: "{{ docker_registry }}/pwgen" line: "{{ item.name }}_password: \"{{ password.stdout }}\""
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
register: docker_container_output
when: htpasswd_hash_test_grep.stdout == '0'
- name: Show docker_container_output for {{ item.name }} - name: Write htpasswd hash for {{ item.name }}
debug: lineinfile:
msg: "{{ docker_container_output }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
- name: Write password for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
when: password_test_grep.stdout == '0'
- name: Write htpasswd hash for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
when: htpasswd_hash_test_grep.stdout == '0'

17
roles/pwgen/tasks/main.yaml
View File

@ -1,7 +1,22 @@
- name: Create passwords.yaml file - name: Check that passwords.yaml exists
stat:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
register: passwords_file
- name: Create passwords.yaml file if not exists
file: file:
name: "{{ inventory_dir }}/group_vars/all/passwords.yaml" name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
state: touch state: touch
when: not passwords_file.stat.exists
- name: Read passwords.yaml file
slurp:
src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
register: passwords_b64
- name: Set facts about passwords
set_fact:
passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
- name: Create files directory for ddclient tsig - name: Create files directory for ddclient tsig
file: file:

75
roles/pwgen/tasks/passwords.yaml
View File

@ -1,49 +1,34 @@
- name: Test if password exists in file for {{ item.name }} - name: Generate password for {{ item.name }}
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_password'] is not defined
register: password_test_grep block:
- name: Create password for {{ item.name }}
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
register: password
- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }} - name: Show password json for {{ item.name }}
shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true debug:
register: pbkdf2_sha512_hash_test_grep msg: "{{ password }}"
verbosity: 2
- name: Create password for {{ item.name }} - name: Write password for {{ item.name }}
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;" lineinfile:
register: password path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
when: password_test_grep.stdout == '0' line: "{{ item.name }}_password: \"{{ password.stdout }}\""
- name: Show password json for {{ item.name }} - name: Generate password for {{ item.name }}
debug: when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
msg: "{{ password }}" block:
verbosity: 2 - name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
when: password_test_grep.stdout == '0' docker_container:
name: slappasswd
image: "{{ docker_registry }}/pwgen"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
register: docker_container_output
- name: Create PBKDF2-SHA512 hash from password for {{ item.name }} - name: Write PBKDF2-SHA512 hash for {{ item.name }}
docker_container: lineinfile:
name: slappasswd path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
image: "{{ docker_registry }}/pwgen" line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
register: docker_container_output
when: pbkdf2_sha512_hash_test_grep.stdout == '0'
- debug:
msg: "{{ docker_container_output }}"
- name: Show docker_container_output for {{ item.name }}
debug:
msg: "{{ docker_container_output }}"
verbosity: 2
- name: Write password for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
when: password_test_grep.stdout == '0'
- name: Write PBKDF2-SHA512 hash for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
when: pbkdf2_sha512_hash_test_grep.stdout == '0'

30
roles/pwgen/tasks/secrets.yaml
View File

@ -1,20 +1,16 @@
- name: Test if secret exists in file for {{ item.name }}
shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
register: secret_test_grep
- name: Create secret for {{ item.name }} - name: Create secret for {{ item.name }}
shell: "openssl rand -hex 32" when: passwords[item.name + '_secret'] is not defined
register: secret block:
when: secret_test_grep.stdout == '0' - name: Create secret for {{ item.name }}
shell: "openssl rand -hex 32"
register: secret
- name: Show secret json for {{ item.name }} - name: Show secret json for {{ item.name }}
debug: debug:
msg: "{{ secret }}" msg: "{{ secret }}"
verbosity: 2 verbosity: 2
when: secret_test_grep.stdout == '0'
- name: Write secret for {{ item.name }} - name: Write secret for {{ item.name }}
lineinfile: lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_secret: \"{{ secret.stdout }}\"" line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
when: secret_test_grep.stdout == '0'

151
roles/pwgen/tasks/tsig.yaml
View File

@ -1,99 +1,78 @@
- name: Test if k8s TSIG key exists - name: Generate K8s TSIG for Knot DNS
shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords['k8s_tsig'] is not defined
register: k8s_tsig_test_grep block:
- name: Generate k8s TSIG key for Knot DNS
docker_container:
name: keymgr
image: "{{ docker_registry }}/tsig"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
register: knot_container_output
- name: Test if ddclinet TSIG key exists - name: Set k8s_key
shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true set_fact:
register: ddclient_tsig_test_grep k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
- name: Test if ddclinet TSIG key exists - name: Show k8s TSIG key
shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true debug:
register: ddclient_tsig_public_key_test_grep msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
- name: Test if ddclinet TSIG key exists - name: Write TSIG for Kubernetes
shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true lineinfile:
register: ddclient_tsig_private_key_test_grep path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
- name: Generate k8s TSIG key for Knot DNS - name: Generate ddclient private and public TSIG keys for Knot DNS
docker_container: when:
name: keymgr - passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
image: "{{ docker_registry }}/tsig" block:
cleanup: true - name: Generate TSIG key for ddclient
detach: false docker_container:
container_default_behavior: no_defaults name: ddclient
command: "keymgr -t {{ namespace }} hmac-sha512" image: "{{ docker_registry }}/tsig"
register: knot_container_output cleanup: true
when: k8s_tsig_test_grep.stdout == '0' detach: false
container_default_behavior: no_defaults
command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
register: ddclient_container_output
- name: Set k8s_key - name: Set ddclient_key
set_fact: set_fact:
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}" ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
when: k8s_tsig_test_grep.stdout == '0'
- name: Show k8s TSIG key - name: Show ddclient TSIG public key file
debug: debug:
msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}" msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
when: k8s_tsig_test_grep.stdout == '0' verbosity: 2
- name: Write TSIG for Kubernetes - name: Show ddclient TSIG private key file
lineinfile: debug:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml" msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\"" verbosity: 2
when: k8s_tsig_test_grep.stdout == '0'
- name: Generate TSIG key for ddclient - name: Write ddclient TSIG public key file in base64
docker_container: lineinfile:
name: ddclient path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
image: "{{ docker_registry }}/tsig" line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "bash tsig-key.sh {{ namespace }}"
register: ddclient_container_output
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Set ddclient_key - name: Show ddclient TSIG key
set_fact: debug:
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}" msg: "{{ ddclient_tsig_key }}"
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0' verbosity: 2
- name: Show ddclient TSIG public key file - name: Write ddclient TSIG key
debug: lineinfile:
msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
when: ddclient_tsig_public_key_test_grep.stdout == '0'
- name: Show ddclient TSIG private key file - name: Write ddclient TSIG private key file in base64
debug: lineinfile:
msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
when: ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Write ddclient TSIG public key file in base64 - name: Set ddclient TSIG key
lineinfile: set_fact:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml" ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
when: ddclient_tsig_public_key_test_grep.stdout == '0'
- name: Write ddclient TSIG private key file in base64
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
when: ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Set ddclient TSIG key
set_fact:
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
when: ddclient_tsig_test_grep.stdout == '0'
- name: Show ddclient TSIG key
debug:
msg: "{{ ddclient_tsig_key }}"
verbosity: 2
when: ddclient_tsig_test_grep.stdout == '0'
- name: Write ddclient TSIG key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
when: ddclient_tsig_test_grep.stdout == '0'

73
roles/pwgen/tasks/vapid.yaml
View File

@ -1,47 +1,36 @@
- name: Test if VAPID private key exists - name: Generate VAPID keys
shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
register: vapid_private_key_test_grep block:
- name: Create VAPID keys
docker_container:
name: vapid
image: "{{ docker_registry }}/pwgen"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "/vapid"
register: vapid_container_output
- name: Test if VAPID public key exists - name: Set VAPID keys fact
shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true set_fact:
register: vapid_public_key_test_grep vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
- name: Create VAPID keys - name: Show VAPID private key
docker_container: debug:
name: vapid msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
image: "{{ docker_registry }}/pwgen" verbosity: 2
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "/vapid"
register: vapid_container_output
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
- name: Set VAPID keys fact - name: Show VAPID public key
set_fact: debug:
vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}" msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0' verbosity: 2
- name: Show VAPID private key - name: Write VAPID private key
debug: lineinfile:
msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
when: vapid_private_key_test_grep.stdout == '0'
- name: Show VAPID public key - name: Write VAPID public key
debug: lineinfile:
msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
verbosity: 2 line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
when: vapid_public_key_test_grep.stdout == '0'
- name: Write VAPID private key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
when: vapid_private_key_test_grep.stdout == '0'
- name: Write VAPID public key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
when: vapid_public_key_test_grep.stdout == '0'