From 8b31b52dc330d4b9fe5d28f0ff1315ca89d523f0 Mon Sep 17 00:00:00 2001 From: ace Date: Thu, 2 Mar 2023 21:32:58 +0300 Subject: [PATCH] add secrets --- roles/harbor/defaults/main.yaml | 2 +- roles/pwgen/defaults/main.yaml | 4 ++++ roles/pwgen/tasks/main.yaml | 3 +++ roles/pwgen/tasks/secrets.yaml | 20 ++++++++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 roles/pwgen/tasks/secrets.yaml diff --git a/roles/harbor/defaults/main.yaml b/roles/harbor/defaults/main.yaml index 544ccd3..8b14305 100644 --- a/roles/harbor/defaults/main.yaml +++ b/roles/harbor/defaults/main.yaml @@ -98,7 +98,7 @@ harbor_default_values: harborAdminPassword: "{{ harbor_admin_pass | default(harbor_admin_password) }}" # The secret key used for encryption. Must be a string of 16 chars. - secretKey: "{{ harbor_encription_key | default('not-a-secure-key') }}" + secretKey: "{{ harbor_secret | default('not-a-secure-key') }}" jobservice: maxJobWorkers: 32 diff --git a/roles/pwgen/defaults/main.yaml b/roles/pwgen/defaults/main.yaml index ff896e9..9a5c05b 100644 --- a/roles/pwgen/defaults/main.yaml +++ b/roles/pwgen/defaults/main.yaml @@ -17,6 +17,10 @@ default_accounts: - { name: harbor_admin } - { name: systemuser } +secret_keys: + - { name: peertube } + - { name: harbor } + htpasswd_accounts: - { name: pypiserver_admin } - { name: adguard_admin } diff --git a/roles/pwgen/tasks/main.yaml b/roles/pwgen/tasks/main.yaml index ff9153c..ae7dafa 100644 --- a/roles/pwgen/tasks/main.yaml +++ b/roles/pwgen/tasks/main.yaml @@ -11,6 +11,9 @@ - include_tasks: passwords.yaml loop: "{{ default_accounts }}" +- include_tasks: secrets.yaml + loop: "{{ secret_keys }}" + - include_tasks: htpasswd.yaml loop: "{{ htpasswd_accounts }}" diff --git a/roles/pwgen/tasks/secrets.yaml b/roles/pwgen/tasks/secrets.yaml new file mode 100644 index 0000000..4b9a7a6 --- /dev/null +++ b/roles/pwgen/tasks/secrets.yaml @@ -0,0 +1,20 @@ +- name: Test if secret exists in file for {{ item.name }} + shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true + register: secret_test_grep + +- name: Create secret for {{ item.name }} + shell: "openssl rand -hex 32" + register: secret + when: secret_test_grep.stdout == '0' + +- name: Show secret json for {{ item.name }} + debug: + msg: "{{ secret }}" + verbosity: 2 + when: secret_test_grep.stdout == '0' + +- name: Write secret for {{ item.name }} + lineinfile: + path: "{{ inventory_dir }}/group_vars/all/passwords.yaml" + line: "{{ item.name }}_secret: \"{{ secret.stdout }}\"" + when: secret_test_grep.stdout == '0'