feat!: disable facts injection for security purpose

2023-12-10 00:00:00 +00:00 · 2023-12-10 00:00:00 +00:00 · 0829d7807f
commit 0829d7807f
parent b33a29d0d9
9 changed files with 36 additions and 34 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml
@ -5,13 +5,13 @@
    key: "{{ common.user_account }}"
    split: ":"
  changed_when: false
-  when: getent_passwd is undefined or common.user_account not in getent_passwd
+  when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd']

 - name: '[home] create common directories'
  become: true
  become_user: "{{ common.user_account }}"
  ansible.builtin.file:
-    path: "{{ getent_passwd[common.user_account][4] }}/{{ item }}"
+    path: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}"
    state: directory
    mode: '0750'
  loop:
@ -27,14 +27,14 @@
    - name: '[home] git configuration'
      ansible.builtin.template:
        src: ../templates/home/.gitconfig.j2
-        dest: "{{ getent_passwd[common.user_account][4] }}/.gitconfig"
+        dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.gitconfig"
        mode: '0640'
      when: common.git.enable is truthy

    - name: '[home] basic files'
      ansible.builtin.copy:
        src: "../templates/home/{{ item.name }}"
-        dest: "{{ getent_passwd[common.user_account][4] }}/{{ item.name }}"
+        dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item.name }}"
        mode: "{{ item.mode | default('0640') }}"
      loop:
        - { name: ".lessfilter", mode: '0750' }
--- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml
@ -5,7 +5,7 @@
    key: "{{ common.user_account }}"
    split: ":"
  changed_when: false
-  when: getent_passwd is undefined or common.user_account not in getent_passwd
+  when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd']

 - name: '[shell] install ZSH and dependencies'
  become: true
@ -34,7 +34,7 @@
    - name: '[fonts] adding fonts'
      ansible.builtin.copy:
        src: ../assets/fonts/
-        dest: "{{ getent_passwd[common.user_account][4] }}/.local/share/fonts"
+        dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.local/share/fonts"
        mode: '0640'

    - name: '[fonts] refresh fonts cache'
@ -56,14 +56,14 @@
    - name: '[omz] install OMZ'
      ansible.builtin.command:
        cmd: sh /tmp/zsh-install.sh --unattended
-        creates: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh"
+        creates: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh"

 - name: '[shell] install powerlevel10k customization for OMZ'
  become: true
  become_user: "{{ common.user_account }}"
  ansible.builtin.git:
    repo: https://github.com/romkatv/powerlevel10k.git
-    dest: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k"
+    dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k"
    depth: 1

 - name: '[home] copy zsh files'
@ -71,7 +71,7 @@
  become_user: "{{ common.user_account }}"
  ansible.builtin.copy:
    src: "../templates/home/{{ item }}"
-    dest: "{{ getent_passwd[common.user_account][4] }}/{{ item }}"
+    dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}"
    mode: '0640'
  loop:
    - .p10k.zsh