From 1dabc4d7cb3099465847e2d1798ed48f08aae6c0 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Wed, 27 Nov 2024 14:19:11 +0100 Subject: [PATCH] Fixing SSH passphrase --- inventory/dev/group_vars/all.yml | 1 - inventory/dev/group_vars/semaphore.yml | 3 +- inventory/local/group_vars/all.yml | 1 - inventory/local/group_vars/semaphore.yml | 2 +- inventory/test/group_vars/all.yml | 1 - inventory/test/group_vars/semaphore.yml | 8 +++++ provision.yml | 38 ++++++++++++++++++------ roles/api/tasks/credentials.yml | 19 +++++++----- roles/requirements.yml | 2 +- roles/semaphore/tasks/absent.yml | 1 + roles/semaphore/tasks/present.yml | 7 ++++- 11 files changed, 59 insertions(+), 24 deletions(-) diff --git a/inventory/dev/group_vars/all.yml b/inventory/dev/group_vars/all.yml index ab47f88..5c679a9 100644 --- a/inventory/dev/group_vars/all.yml +++ b/inventory/dev/group_vars/all.yml @@ -4,4 +4,3 @@ docker_users: docker_install_compose: true docker_install_compose_plugin: true server_name: "{{ ansible_fqdn | default(ansible_hostname) }}" -ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" diff --git a/inventory/dev/group_vars/semaphore.yml b/inventory/dev/group_vars/semaphore.yml index 8b7c7d0..0ffbcf9 100644 --- a/inventory/dev/group_vars/semaphore.yml +++ b/inventory/dev/group_vars/semaphore.yml @@ -3,10 +3,9 @@ semaphore_web_root: 'https://controller' semaphore_db_host: '127.0.0.1' nginx_add_repo: false -ssh_passphrase: "SomethingYouNeedToUse" +ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" use_docker: true -use_podman: false use_opentofu: true use_powershell: false use_terraform: false diff --git a/inventory/local/group_vars/all.yml b/inventory/local/group_vars/all.yml index ecbdee1..0149842 100644 --- a/inventory/local/group_vars/all.yml +++ b/inventory/local/group_vars/all.yml @@ -2,4 +2,3 @@ docker_install_compose: true docker_install_compose_plugin: true server_name: "{{ lookup('env', 'HOSTNAME') }}" -ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" diff --git a/inventory/local/group_vars/semaphore.yml b/inventory/local/group_vars/semaphore.yml index f1f9584..1aa3657 100644 --- a/inventory/local/group_vars/semaphore.yml +++ b/inventory/local/group_vars/semaphore.yml @@ -3,7 +3,7 @@ semaphore_web_root: 'https://20.224.75.82' semaphore_db_host: '127.0.0.1' nginx_add_repo: false -ssh_passphrase: "SomethingYouNeedToUse" +ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" use_docker: true use_opentofu: false diff --git a/inventory/test/group_vars/all.yml b/inventory/test/group_vars/all.yml index 919d623..f4768a6 100644 --- a/inventory/test/group_vars/all.yml +++ b/inventory/test/group_vars/all.yml @@ -2,4 +2,3 @@ docker_install_compose: true docker_install_compose_plugin: true server_name: acsNode -ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" diff --git a/inventory/test/group_vars/semaphore.yml b/inventory/test/group_vars/semaphore.yml index cba861c..dfa85ff 100644 --- a/inventory/test/group_vars/semaphore.yml +++ b/inventory/test/group_vars/semaphore.yml @@ -1,3 +1,11 @@ --- semaphore_web_root: 'https://controller' nginx_add_repo: false + +ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" + +use_docker: true +use_opentofu: true +use_powershell: false +use_terraform: false +terraform_ver: 1.9.8 diff --git a/provision.yml b/provision.yml index a513326..aa6af90 100755 --- a/provision.yml +++ b/provision.yml @@ -10,17 +10,20 @@ pre_tasks: - name: Lookup DB_PASS in environment variables + when: desired_state is not defined or desired_state == 'absent' ansible.builtin.set_fact: check_db_pass: "{{ lookup('env', 'DB_PASS') }}" no_log: true - name: Assert that DB_PASS is defined + when: desired_state is not defined or desired_state == 'absent' ansible.builtin.assert: that: - check_db_pass | length > 8 msg: | run this shell command before this playbook: - export DB_PASS=aVeryStrongDatabasePassword + read -sp "Enter database password: " DB_PASS && export DB_PASS ; echo + no_log: true roles: - role: postgres @@ -30,6 +33,7 @@ become: true gather_facts: true tags: [tools] + tasks: - name: Install Docker when: use_docker | bool @@ -51,14 +55,6 @@ ansible.builtin.include_role: name: andrewrothstein.terraform -- name: Semaphore in Systemd - hosts: semaphore - become: true - gather_facts: true - roles: - - role: semaphore - tags: [semaphore] - - name: Reverse Proxy hosts: web become: true @@ -67,6 +63,30 @@ - role: nginx tags: [nginx] +- name: Semaphore in Systemd + hosts: semaphore + become: true + gather_facts: true + tags: [semaphore] + + pre_tasks: + - name: Lookup SSH_PASS in environment variables + ansible.builtin.set_fact: + ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}" + no_log: true + + - name: Assert that SSH_PASS is defined + ansible.builtin.assert: + that: + - ssh_passphrase | length > 8 + msg: | + run this shell command before this playbook: + read -sp "Enter ssh key passphrase: " SSH_PASS && export SSH_PASS ; echo + no_log: true + + roles: + - role: semaphore + - name: Configure Semaphore hosts: semaphore become: true diff --git a/roles/api/tasks/credentials.yml b/roles/api/tasks/credentials.yml index c11217d..0f21da9 100644 --- a/roles/api/tasks/credentials.yml +++ b/roles/api/tasks/credentials.yml @@ -1,15 +1,20 @@ --- -- name: "Read Ansible SSH key from system" +- name: Assert that ssh_passphrase.length > 8 + ansible.builtin.assert: + that: ssh_passphrase | length > 8 + msg: ssh_passphrase needs to conform + +- name: Read Ansible SSH key from system ansible.builtin.slurp: path: "/home/semaphore/.ssh/id_ed25519" register: "ssh_key_ansible" no_log: "{{ not debug }}" -- name: "Configure Key Store" +- name: Configure Key Store block: - - name: "Determine keys" + - name: Determine keys changed_when: false check_mode: false ansible.builtin.uri: @@ -18,9 +23,9 @@ headers: Cookie: "{{ cookie }}" status_code: 200 - register: "semaphore_keystores" + register: semaphore_keystores - - name: "Create SSH key for Controller" + - name: Create SSH key for Controller changed_when: "semaphore_key_ansible_created.status == 204" ansible.builtin.uri: url: "{{ semaphore_api_url }}/project/{{ semaphore_project_id }}/keys" @@ -45,7 +50,7 @@ when: - "semaphore_keystores.json | selectattr('name', 'equalto', 'Controller-ssh-key') | length == 0" - - name: "Read ssh key from system" + - name: Read ssh key from system delegate_to: localhost connection: local become: false @@ -55,7 +60,7 @@ register: "ssh_key_github" failed_when: false - - name: "Create SSH key for GitHub" + - name: Create SSH key for GitHub changed_when: "semaphore_key_github_created.status == 204" ansible.builtin.uri: use_proxy: false diff --git a/roles/requirements.yml b/roles/requirements.yml index 7353301..e3ec903 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -9,4 +9,4 @@ roles: version: 1.0.0 - src: bbaassssiiee.nginx_ssl name: nginx - version: 1.0.0 + version: 1.0.1 diff --git a/roles/semaphore/tasks/absent.yml b/roles/semaphore/tasks/absent.yml index 759ae6b..22df93f 100644 --- a/roles/semaphore/tasks/absent.yml +++ b/roles/semaphore/tasks/absent.yml @@ -41,6 +41,7 @@ ansible.builtin.user: name: semaphore state: absent + force: true - name: Remove semaphore package ansible.builtin.package: diff --git a/roles/semaphore/tasks/present.yml b/roles/semaphore/tasks/present.yml index 138d7ec..d52a15e 100644 --- a/roles/semaphore/tasks/present.yml +++ b/roles/semaphore/tasks/present.yml @@ -15,6 +15,11 @@ policy: targeted state: permissive +- name: Assert that ssh_passphrase.length > 8 + ansible.builtin.assert: + that: ssh_passphrase | length > 8 + msg: "{{ ssh_passphrase }} needs to conform." + - name: Create semaphore user ansible.builtin.user: name: semaphore @@ -122,7 +127,7 @@ notify: - Restart semaphore -- name: Create semaphoreui SELinux policy +- name: Create Semaphoreui SELinux policy when: piet is defined block: - name: Copy policy files