Still need a lab, not just a lab, but VMs with a minimal install.<\/p>\n\n\n\n
One skill I have lost was building machines from scratch that don’t have the packages I need.<\/p>\n\n\n\n
I am working a bit on a playbook that can change passwords.<\/p>\n\n\n\n
---
- name: Securely change root password on multiple machines
hosts: all
become: yes
vars:
local_rpm_path: \"python3-passlib-1.7.4-9.el9.noarch.rpm\"
package_name: \"python3-passlib\"
vars_files:
- vault_root_passwords.yml
tasks:
- name: Gather installed package facts
ansible.builtin.package_facts:
manager: auto
- name: Copy RPM to target
ansible.builtin.copy:
src: \"{{ local_rpm_path }}\"
dest: \/tmp\/python3-passlib-1.7.4-9.el9.noarch.rpm
mode: '0644'
when: package_name not in ansible_facts.packages
- name: Install package from local RPM file if not installed
ansible.builtin.dnf:
name: \/tmp\/python3-passlib-1.7.4-9.el9.noarch.rpm
state: present
disable_gpg_check: true
when: package_name not in ansible_facts.packages
- name: Set unique root password per host
ansible.builtin.user:
name: root
password: \"{{ root_passwords[inventory_hostname] | password_hash('sha512') }}\"
no_log: true
- name: \"Support Password\"
ansible.builtin.user:
name: support
state: present
password: \"{{ support_password[inventory_hostname] | password_hash('sha512') }}\"
no_log: true
...
<\/pre>\n\n\n\nI needed that python3-passlib file what got me on the path of a small minimal install.<\/p>\n\n\n\n
Here is a sample of the vault_root_passwords.yml<\/p>\n\n\n\n
root_passwords:
lxhost01.retrodvr.com: arajmyisyeeng7
lxhost02.retrodvr.com: giojisthoc9
lxhost03.retrodvr.com: crersyijlirfuv5
support_password:
lxhost01.retrodvr.com: 3onagvakni
lxhost02.retrodvr.com: gejed4shlamegso
lxhost03.retrodvr.com: un5olwugus
<\/pre>\n\n\n\nI really used those passwords because it is easy to recreate a new one<\/p>\n\n\n\n
#!\/bin\/bash
HOSTNAMELIST=`ansible-vault view inventory | grep -v '^\\[' | awk '{print $1}';`
echo \"root_passwords:\"
for HOSTNAME in $HOSTNAMELIST
do
PASSWORD=`apg -n1 -m10 -x15 -MN`
echo \" $HOSTNAME: $PASSWORD\"
done
echo \"support_password:\"
for HOSTNAME in $HOSTNAMELIST
do
PASSWORD=`apg -n1 -m10 -x15 -MN`
echo \" $HOSTNAME: $PASSWORD\"
done
<\/pre>\n\n\n\nI do encrypt the vault_root_passwords.yml and sometimes the inventory file<\/p>\n\n\n\n
Remove old file\n rm vault_root_passwords.yml\n\nCreate emmpty file\n touch vault_root_passwords.yml\n\nLimit perms\n chmod 0600 vault_root_passwords.yml\n\nCreate Passwords file\n.\/makepwfile.sh > vault_root_passwords.yml\nansible-vault encrypt vault_root_passwords.yml\n<\/pre>\n\n\n\nWeight: 328.4<\/p>\n","protected":false},"excerpt":{"rendered":"
Still need a lab, not just a lab, but VMs with a minimal install. One skill I have lost was building machines from scratch that don’t have the packages I need. I am working a bit on a playbook that … Continue reading