GHP publish

roles/pwgen/defaults/main.yaml

@@ -0,0 +1,19 @@
+default_accounts:
+  - { name: openldap_admin }
+  - { name: openldap_config }
+  - { name: ldapbind }
+  - { name: nextcloud_admin }
+  - { name: nextcloud_ldap }
+  - { name: bitwarden_ldap }
+  - { name: gitea_admin }
+  - { name: gitea_ldap }
+  - { name: wikijs_ldap }
+  - { name: drone_admin }
+  - { name: chartmuseum_admin }
+  - { name: peertube_ldap }
+  - { name: peertube_admin }
+  - { name: systemuser }
+
+htpasswd_accounts:
+  - { name: pypiserver_admin }
+  - { name: adguard_admin }

roles/pwgen/tasks/dkim.yaml

@@ -0,0 +1,47 @@
+- name: Test if DKIM private key exists
+  shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: dkim_private_key_test_grep
+
+- name: Test if DKIM public key exists
+  shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: dkim_public_key_test_grep
+
+- name: Create DKIM keys
+  docker_container:
+    name: ddclient
+    image: "{{ docker_registry }}/pwgen"
+    cleanup: true
+    detach: false
+    container_default_behavior: no_defaults
+    command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
+  register: dkim_container_output
+  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
+
+- name: Set ddclient_key
+  set_fact:
+    dkim_keys: "{{ dkim_container_output.ansible_facts.docker_container.Output | from_yaml }}"
+  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
+
+- name: Show DKIM private key
+  debug:
+    msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
+    verbosity: 2
+  when: dkim_private_key_test_grep.stdout == '0' 
+
+- name: Show DKIM public key
+  debug:
+    msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
+    verbosity: 2
+  when: dkim_public_key_test_grep.stdout == '0' 
+
+- name: Write DKIM private key
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
+  when: dkim_private_key_test_grep.stdout == '0' 
+
+- name: Write DKIM public key
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
+  when: dkim_public_key_test_grep.stdout == '0' 

roles/pwgen/tasks/htpasswd.yaml

@@ -0,0 +1,46 @@
+- name: Test if password exists in file for {{ item.name }}
+  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: password_test_grep
+  
+- name: Test if password htpasswd hash exists in file for {{ item.name }}
+  shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: htpasswd_hash_test_grep
+
+- name: Create password for {{ item.name }}
+  shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+  register: password
+  when: password_test_grep.stdout == '0'
+
+- name: Show password json for {{ item.name }}
+  debug:
+    msg: "{{ password }}"
+    verbosity: 2
+  when: password_test_grep.stdout == '0'
+
+- name: Create bcrypt hash from password for {{ item.name }}
+  docker_container:
+    name: slappasswd
+    image: "{{ docker_registry }}/pwgen"
+    cleanup: true
+    detach: false
+    container_default_behavior: no_defaults
+    command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
+  register: docker_container_output
+  when: htpasswd_hash_test_grep.stdout == '0'
+
+- name: Show docker_container_output for {{ item.name }}
+  debug:
+    msg: "{{ docker_container_output }}"
+    verbosity: 2
+
+- name: Write password for {{ item.name }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "{{ item.name }}_password: \"{{ password.stdout }}\""
+  when: password_test_grep.stdout == '0'
+
+- name: Write htpasswd hash for {{ item.name }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.ansible_facts.docker_container.Output.split('\n')[0].split(':')[1] }}\""
+  when: htpasswd_hash_test_grep.stdout == '0'

roles/pwgen/tasks/main.yaml

@@ -0,0 +1,57 @@
+- name: Create passwords.yaml file
+  file: 
+    name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    state: touch
+
+- name: Create files directory for ddclient tsig
+  file: 
+    name: "{{ playbook_dir }}/files/{{ namespace }}"
+    state: directory
+
+- include_tasks: passwords.yaml
+  loop: "{{ default_accounts }}"
+
+- include_tasks: htpasswd.yaml
+  loop: "{{ htpasswd_accounts }}"
+
+- include_tasks: passwords.yaml
+  loop: "{{ openldap_custom_users }}"
+  when: openldap_custom_users is defined
+
+- include_tasks: passwords.yaml
+  loop: "{{ openldap_simple_users }}"
+  when: openldap_simple_users is defined
+
+- name: Test if  Drone rpc secret exists in file for {{ item }}
+  shell: grep -c "drone_rpc_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: rpc_secret_test_grep
+
+- name: Test if Drone database secret exists in file for {{ item }}
+  shell: grep -c "drone_database_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: database_secret_test_grep
+
+- name: Create Drone rpc secret for {{ item }}
+  shell: "< /dev/urandom tr -dc a-f0-9 | head -c${1:-128};echo;"
+  register: rpc_secret
+  when: rpc_secret_test_grep.stdout == '0'
+  
+- name: Create Drone database secret for {{ item }}
+  shell: "< /dev/urandom tr -dc a-f0-9 | head -c${1:-32};echo;"
+  register: db_secret
+  when: database_secret_test_grep.stdout == '0'
+
+- name: Write Drone rpc secret for {{ item }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "drone_rpc_secret: \"{{ rpc_secret.stdout }}\""
+  when: rpc_secret_test_grep.stdout == '0'
+
+- name: Write Drone database secret for {{ item }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "drone_database_secret: \"{{ db_secret.stdout }}\""
+  when: database_secret_test_grep.stdout == '0'
+
+- include_tasks: tsig.yaml
+
+- include_tasks: dkim.yaml

roles/pwgen/tasks/passwords.yaml

@@ -0,0 +1,46 @@
+- name: Test if password exists in file for {{ item.name }}
+  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: password_test_grep
+  
+- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }}
+  shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: pbkdf2_sha512_hash_test_grep
+
+- name: Create password for {{ item.name }}
+  shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+  register: password
+  when: password_test_grep.stdout == '0'
+
+- name: Show password json for {{ item.name }}
+  debug:
+    msg: "{{ password }}"
+    verbosity: 2
+  when: password_test_grep.stdout == '0'
+
+- name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
+  docker_container:
+    name: slappasswd
+    image: "{{ docker_registry }}/pwgen"
+    cleanup: true
+    detach: false
+    container_default_behavior: no_defaults
+    command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
+  register: docker_container_output
+  when: pbkdf2_sha512_hash_test_grep.stdout == '0'
+
+- name: Show docker_container_output for {{ item.name }}
+  debug:
+    msg: "{{ docker_container_output }}"
+    verbosity: 2
+
+- name: Write password for {{ item.name }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "{{ item.name }}_password: \"{{ password.stdout }}\""
+  when: password_test_grep.stdout == '0'
+
+- name: Write PBKDF2-SHA512 hash for {{ item.name }}
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.ansible_facts.docker_container.Output.split('\n')[0] }}\""
+  when: pbkdf2_sha512_hash_test_grep.stdout == '0'

roles/pwgen/tasks/tsig.yaml

@@ -0,0 +1,99 @@
+- name: Test if k8s TSIG key exists
+  shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: k8s_tsig_test_grep
+
+- name: Test if ddclinet TSIG key exists
+  shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: ddclient_tsig_test_grep
+
+- name: Test if ddclinet TSIG key exists
+  shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: ddclient_tsig_public_key_test_grep
+
+- name: Test if ddclinet TSIG key exists
+  shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  register: ddclient_tsig_private_key_test_grep
+
+- name: Generate k8s TSIG key for Knot DNS
+  docker_container:
+    name: keymgr
+    image: "{{ docker_registry }}/tsig"
+    cleanup: true
+    detach: false
+    container_default_behavior: no_defaults
+    command: "keymgr -t k8s hmac-sha512"
+  register: knot_container_output
+  when: k8s_tsig_test_grep.stdout == '0'
+
+- name: Set k8s_key
+  set_fact:
+    k8s_key: "{{ knot_container_output.ansible_facts.docker_container.Output | from_yaml }}"
+  when: k8s_tsig_test_grep.stdout == '0'
+
+- name: Show k8s TSIG key
+  debug:
+    msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
+  when: k8s_tsig_test_grep.stdout == '0'
+
+- name: Write TSIG for Kubernetes
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
+  when: k8s_tsig_test_grep.stdout == '0'
+
+- name: Generate TSIG key for ddclient
+  docker_container:
+    name: ddclient
+    image: "{{ docker_registry }}/tsig"
+    cleanup: true
+    detach: false
+    container_default_behavior: no_defaults
+    command: "bash tsig-key.sh {{ namespace }}"
+  register: ddclient_container_output
+  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
+
+- name: Set ddclient_key
+  set_fact:
+    ddclient_key: "{{ ddclient_container_output.ansible_facts.docker_container.Output | from_yaml }}"
+  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
+
+- name: Show ddclient TSIG public key file
+  debug:
+    msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
+    verbosity: 2
+  when: ddclient_tsig_public_key_test_grep.stdout == '0'
+
+- name: Show ddclient TSIG private key file
+  debug:
+    msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
+    verbosity: 2
+  when: ddclient_tsig_private_key_test_grep.stdout == '0'
+
+- name: Write ddclient TSIG public key file in base64
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
+  when: ddclient_tsig_public_key_test_grep.stdout == '0'
+
+- name: Write ddclient TSIG private key file in base64
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
+  when: ddclient_tsig_private_key_test_grep.stdout == '0'
+
+- name: Set ddclient TSIG key
+  set_fact:
+    ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
+  when: ddclient_tsig_test_grep.stdout == '0'
+
+- name: Show ddclient TSIG key
+  debug:
+    msg: "{{ ddclient_tsig_key }}"
+    verbosity: 2
+  when: ddclient_tsig_test_grep.stdout == '0'
+
+- name: Write ddclient TSIG key
+  lineinfile:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+    line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
+  when: ddclient_tsig_test_grep.stdout == '0'