ghp/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pwgen: rewrite checks and passwords generation

Browse Source
This commit is contained in:
ace 2025-05-23 13:05:03 +03:00
parent e67b5702d5
commit 74ae2c4694
Signed by: ace
GPG Key ID: F7EC00FB2C3118AD
7 changed files with 246 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
roles/pwgen/tasks/dkim.yaml
View File

@ -1,47 +1,36 @@
- name: Test if DKIM private key exists - name: Generate DKIM keys
shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
register: dkim_private_key_test_grep block:
- name: Create DKIM keys
- name: Test if DKIM public key exists docker_container:
shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true name: ddclient
register: dkim_public_key_test_grep image: "{{ docker_registry }}/pwgen"
cleanup: true
- name: Create DKIM keys detach: false
docker_container: container_default_behavior: no_defaults
name: ddclient command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
image: "{{ docker_registry }}/pwgen" register: dkim_container_output
cleanup: true
detach: false - name: Set dkim_keys
container_default_behavior: no_defaults set_fact:
command: "sh dkim-key.sh {{ mail_domain | default(domain) }}" dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
register: dkim_container_output
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0' - name: Show DKIM private key
debug:
- name: Set ddclient_key msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
set_fact: verbosity: 2
dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0' - name: Show DKIM public key
debug:
- name: Show DKIM private key msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
debug: verbosity: 2
msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
verbosity: 2 - name: Write DKIM private key
when: dkim_private_key_test_grep.stdout == '0' lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
- name: Show DKIM public key line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
debug:
msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}" - name: Write DKIM public key
verbosity: 2 lineinfile:
when: dkim_public_key_test_grep.stdout == '0' path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
- name: Write DKIM private key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
when: dkim_private_key_test_grep.stdout == '0'
- name: Write DKIM public key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
when: dkim_public_key_test_grep.stdout == '0'

82
roles/pwgen/tasks/htpasswd.yaml
View File

@ -1,46 +1,36 @@
- name: Test if password exists in file for {{ item.name }} - name: Generate htpasswd for {{ item.name }}
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
register: password_test_grep block:
- name: Create password for {{ item.name }}
- name: Test if password htpasswd hash exists in file for {{ item.name }} shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true register: password
register: htpasswd_hash_test_grep
- name: Show password json for {{ item.name }}
- name: Create password for {{ item.name }} debug:
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;" msg: "{{ password }}"
register: password verbosity: 2
when: password_test_grep.stdout == '0'
- name: Create bcrypt hash from password for {{ item.name }}
- name: Show password json for {{ item.name }} docker_container:
debug: name: slappasswd
msg: "{{ password }}" image: "{{ docker_registry }}/pwgen"
verbosity: 2 cleanup: true
when: password_test_grep.stdout == '0' detach: false
container_default_behavior: no_defaults
- name: Create bcrypt hash from password for {{ item.name }} command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
docker_container: register: docker_container_output
name: slappasswd
image: "{{ docker_registry }}/pwgen" - name: Show docker_container_output for {{ item.name }}
cleanup: true debug:
detach: false msg: "{{ docker_container_output }}"
container_default_behavior: no_defaults verbosity: 2
command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
register: docker_container_output - name: Write password for {{ item.name }}
when: htpasswd_hash_test_grep.stdout == '0' lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
- name: Show docker_container_output for {{ item.name }} line: "{{ item.name }}_password: \"{{ password.stdout }}\""
debug:
msg: "{{ docker_container_output }}" - name: Write htpasswd hash for {{ item.name }}
verbosity: 2 lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
- name: Write password for {{ item.name }} line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
when: password_test_grep.stdout == '0'
- name: Write htpasswd hash for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
when: htpasswd_hash_test_grep.stdout == '0'

17
roles/pwgen/tasks/main.yaml
View File

@ -1,7 +1,22 @@
- name: Create passwords.yaml file - name: Check that passwords.yaml exists
stat:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
register: passwords_file
- name: Create passwords.yaml file if not exists
file: file:
name: "{{ inventory_dir }}/group_vars/all/passwords.yaml" name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
state: touch state: touch
when: not passwords_file.stat.exists
- name: Read passwords.yaml file
slurp:
src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
register: passwords_b64
- name: Set facts about passwords
set_fact:
passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
- name: Create files directory for ddclient tsig - name: Create files directory for ddclient tsig
file: file:

79
roles/pwgen/tasks/passwords.yaml
View File

@ -1,49 +1,34 @@
- name: Test if password exists in file for {{ item.name }} - name: Generate password for {{ item.name }}
shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_password'] is not defined
register: password_test_grep block:
- name: Create password for {{ item.name }}
- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }} shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true register: password
register: pbkdf2_sha512_hash_test_grep
- name: Show password json for {{ item.name }}
debug:
msg: "{{ password }}"
verbosity: 2
- name: Create password for {{ item.name }} - name: Write password for {{ item.name }}
shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;" lineinfile:
register: password path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
when: password_test_grep.stdout == '0' line: "{{ item.name }}_password: \"{{ password.stdout }}\""
- name: Show password json for {{ item.name }} - name: Generate password for {{ item.name }}
debug: when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
msg: "{{ password }}" block:
verbosity: 2 - name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
when: password_test_grep.stdout == '0' docker_container:
name: slappasswd
- name: Create PBKDF2-SHA512 hash from password for {{ item.name }} image: "{{ docker_registry }}/pwgen"
docker_container: cleanup: true
name: slappasswd detach: false
image: "{{ docker_registry }}/pwgen" container_default_behavior: no_defaults
cleanup: true command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
detach: false register: docker_container_output
container_default_behavior: no_defaults
command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}" - name: Write PBKDF2-SHA512 hash for {{ item.name }}
register: docker_container_output lineinfile:
when: pbkdf2_sha512_hash_test_grep.stdout == '0' path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
- debug:
msg: "{{ docker_container_output }}"
- name: Show docker_container_output for {{ item.name }}
debug:
msg: "{{ docker_container_output }}"
verbosity: 2
- name: Write password for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_password: \"{{ password.stdout }}\""
when: password_test_grep.stdout == '0'
- name: Write PBKDF2-SHA512 hash for {{ item.name }}
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
when: pbkdf2_sha512_hash_test_grep.stdout == '0'

34
roles/pwgen/tasks/secrets.yaml
View File

@ -1,20 +1,16 @@
- name: Test if secret exists in file for {{ item.name }}
shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
register: secret_test_grep
- name: Create secret for {{ item.name }} - name: Create secret for {{ item.name }}
shell: "openssl rand -hex 32" when: passwords[item.name + '_secret'] is not defined
register: secret block:
when: secret_test_grep.stdout == '0' - name: Create secret for {{ item.name }}
shell: "openssl rand -hex 32"
- name: Show secret json for {{ item.name }} register: secret
debug:
msg: "{{ secret }}" - name: Show secret json for {{ item.name }}
verbosity: 2 debug:
when: secret_test_grep.stdout == '0' msg: "{{ secret }}"
verbosity: 2
- name: Write secret for {{ item.name }}
lineinfile: - name: Write secret for {{ item.name }}
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml" lineinfile:
line: "{{ item.name }}_secret: \"{{ secret.stdout }}\"" path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
when: secret_test_grep.stdout == '0' line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""

171
roles/pwgen/tasks/tsig.yaml
View File

@ -1,99 +1,78 @@
- name: Test if k8s TSIG key exists - name: Generate K8s TSIG for Knot DNS
shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords['k8s_tsig'] is not defined
register: k8s_tsig_test_grep block:
- name: Generate k8s TSIG key for Knot DNS
docker_container:
name: keymgr
image: "{{ docker_registry }}/tsig"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
register: knot_container_output
- name: Set k8s_key
set_fact:
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
- name: Show k8s TSIG key
debug:
msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
- name: Write TSIG for Kubernetes
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
- name: Test if ddclinet TSIG key exists - name: Generate ddclient private and public TSIG keys for Knot DNS
shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when:
register: ddclient_tsig_test_grep - passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
block:
- name: Generate TSIG key for ddclient
docker_container:
name: ddclient
image: "{{ docker_registry }}/tsig"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
register: ddclient_container_output
- name: Set ddclient_key
set_fact:
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
- name: Show ddclient TSIG public key file
debug:
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
verbosity: 2
- name: Show ddclient TSIG private key file
debug:
msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
verbosity: 2
- name: Write ddclient TSIG public key file in base64
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
- name: Show ddclient TSIG key
debug:
msg: "{{ ddclient_tsig_key }}"
verbosity: 2
- name: Write ddclient TSIG key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
- name: Test if ddclinet TSIG key exists - name: Write ddclient TSIG private key file in base64
shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true lineinfile:
register: ddclient_tsig_public_key_test_grep path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
- name: Test if ddclinet TSIG key exists - name: Set ddclient TSIG key
shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true set_fact:
register: ddclient_tsig_private_key_test_grep ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
- name: Generate k8s TSIG key for Knot DNS
docker_container:
name: keymgr
image: "{{ docker_registry }}/tsig"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "keymgr -t {{ namespace }} hmac-sha512"
register: knot_container_output
when: k8s_tsig_test_grep.stdout == '0'
- name: Set k8s_key
set_fact:
k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
when: k8s_tsig_test_grep.stdout == '0'
- name: Show k8s TSIG key
debug:
msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
when: k8s_tsig_test_grep.stdout == '0'
- name: Write TSIG for Kubernetes
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
when: k8s_tsig_test_grep.stdout == '0'
- name: Generate TSIG key for ddclient
docker_container:
name: ddclient
image: "{{ docker_registry }}/tsig"
cleanup: true
detach: false
container_default_behavior: no_defaults
command: "bash tsig-key.sh {{ namespace }}"
register: ddclient_container_output
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Set ddclient_key
set_fact:
ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Show ddclient TSIG public key file
debug:
msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
verbosity: 2
when: ddclient_tsig_public_key_test_grep.stdout == '0'
- name: Show ddclient TSIG private key file
debug:
msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
verbosity: 2
when: ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Write ddclient TSIG public key file in base64
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
when: ddclient_tsig_public_key_test_grep.stdout == '0'
- name: Write ddclient TSIG private key file in base64
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
when: ddclient_tsig_private_key_test_grep.stdout == '0'
- name: Set ddclient TSIG key
set_fact:
ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
when: ddclient_tsig_test_grep.stdout == '0'
- name: Show ddclient TSIG key
debug:
msg: "{{ ddclient_tsig_key }}"
verbosity: 2
when: ddclient_tsig_test_grep.stdout == '0'
- name: Write ddclient TSIG key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
when: ddclient_tsig_test_grep.stdout == '0'

83
roles/pwgen/tasks/vapid.yaml
View File

@ -1,47 +1,36 @@
- name: Test if VAPID private key exists - name: Generate VAPID keys
shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
register: vapid_private_key_test_grep block:
- name: Create VAPID keys
- name: Test if VAPID public key exists docker_container:
shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true name: vapid
register: vapid_public_key_test_grep image: "{{ docker_registry }}/pwgen"
cleanup: true
- name: Create VAPID keys detach: false
docker_container: container_default_behavior: no_defaults
name: vapid command: "/vapid"
image: "{{ docker_registry }}/pwgen" register: vapid_container_output
cleanup: true
detach: false - name: Set VAPID keys fact
container_default_behavior: no_defaults set_fact:
command: "/vapid" vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
register: vapid_container_output
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0' - name: Show VAPID private key
debug:
- name: Set VAPID keys fact msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
set_fact: verbosity: 2
vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0' - name: Show VAPID public key
debug:
- name: Show VAPID private key msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
debug: verbosity: 2
msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
verbosity: 2 - name: Write VAPID private key
when: vapid_private_key_test_grep.stdout == '0' lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
- name: Show VAPID public key line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
debug:
msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}" - name: Write VAPID public key
verbosity: 2 lineinfile:
when: vapid_public_key_test_grep.stdout == '0' path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
- name: Write VAPID private key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
when: vapid_private_key_test_grep.stdout == '0'
- name: Write VAPID public key
lineinfile:
path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
when: vapid_public_key_test_grep.stdout == '0'