sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(users): accept plaintext or pre-hashed passwords uniformly

Browse Source
This commit is contained in:
Sandwich
2026-05-30 18:05:05 +02:00
parent c843f5289b
commit b1e938b7f0
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/configuration/tasks/users.yml
View File

@@ -3,7 +3,8 @@
when: (system_cfg.root.password | default('') | string | length) > 0 when: (system_cfg.root.password | default('') | string | length) > 0
ansible.builtin.shell: >- ansible.builtin.shell: >-
set -o pipefail && set -o pipefail &&
echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e echo 'root:{{ system_cfg.root.password if (system_cfg.root.password | string)[:1] == "$" else system_cfg.root.password | password_hash("sha512") }}'
| {{ chroot_command }} /usr/sbin/chpasswd -e
args: args:
executable: /bin/bash executable: /bin/bash
register: configuration_root_result register: configuration_root_result
@@ -26,11 +27,15 @@
- name: Create user accounts - name: Create user accounts
vars: vars:
configuration_user_group: "{{ _configuration_platform.user_group }}" configuration_user_group: "{{ _configuration_platform.user_group }}"
# plaintext is hashed; a pre-computed crypt hash ($6$/$y$/...) passes through.
configuration_user_pw: >-
{{ item.value.password if (item.value.password | string)[:1] == '$'
else item.value.password | password_hash('sha512') }}
configuration_useradd_cmd: >- configuration_useradd_cmd: >-
{{ chroot_command }} /usr/sbin/useradd --create-home --user-group {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
--uid {{ 1000 + _idx }} --uid {{ 1000 + _idx }}
--groups {{ configuration_user_group }} {{ item.key }} --groups {{ configuration_user_group }} {{ item.key }}
{{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }} {{ ('--password ' ~ configuration_user_pw) if (item.value.password | default('') | string | length > 0) else '' }}
--shell {{ item.value.shell | default('/bin/bash') }} --shell {{ item.value.shell | default('/bin/bash') }}
ansible.builtin.command: "{{ configuration_useradd_cmd }}" ansible.builtin.command: "{{ configuration_useradd_cmd }}"
loop: "{{ system_cfg.users | dict2items }}" loop: "{{ system_cfg.users | dict2items }}"

5
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -8,7 +8,10 @@ users:
- name: "{{ username }}" - name: "{{ username }}"
primary_group: "{{ username }}" primary_group: "{{ username }}"
groups: users groups: users
{% if attrs.sudo | default(false) | bool %} {% set _sudo = attrs.sudo | default(false) %}
{% if _sudo is string %}
sudo: "{{ _sudo }}"
{% elif _sudo | bool %}
sudo: "ALL=(ALL) NOPASSWD:ALL" sudo: "ALL=(ALL) NOPASSWD:ALL"
{% endif %} {% endif %}
{% if attrs.password | default('') | length > 0 %} {% if attrs.password | default('') | length > 0 %}