feat!: disable facts injection for security purpose

2023-12-10 00:00:00 +00:00 · 2023-12-10 00:00:00 +00:00 · 0829d7807f
commit 0829d7807f
parent b33a29d0d9
9 changed files with 36 additions and 34 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
@ -10,12 +10,12 @@
    key: "{{ workstation.user_account }}"
    split: ":"
  changed_when: false
-  when: getent_passwd is undefined or workstation.user_account not in getent_passwd
+  when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd']

 - name: '[setup] ensure expected home directories exist'
  become: true
  ansible.builtin.file:
-    path: "{{ getent_passwd[workstation.user_account][4] }}/{{ item }}"
+    path: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/{{ item }}"
    state: directory
    owner: "{{ workstation.user_account }}"
    group: "{{ workstation.user_account }}"
@ -147,7 +147,7 @@
  become_user: "{{ workstation.user_account }}"
  ansible.builtin.git:
    repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git"
-    dest: "{{ getent_passwd[workstation.user_account][4] }}/.emacs.d"
+    dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.emacs.d"
    force: false

 - name: '[config] set tools configuration'
@ -158,8 +158,8 @@
    dest: "{{ item.dest }}"
    mode: "{{ item.mode | default('0640') }}"
  loop:
-    - { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" }
-    - { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" }
+    - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" }
+    - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" }

 - name: '[authenticator] find if binary is already installed'
  ansible.builtin.file:
@ -213,7 +213,7 @@
    - name: '[yubico] create shell wrapper'
      ansible.builtin.template:
        src: ../templates/bin_wrapper.sh.j2
-        dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator"
+        dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator"
        mode: '0750'
        owner: "{{ workstation.user_account }}"
        group: "{{ workstation.user_account }}"
@ -223,14 +223,14 @@
    - name: '[yubico] create desktop entry'
      ansible.builtin.template:
        src: ../templates/desktop_app.j2
-        dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/share/applications/authenticator.desktop"
+        dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/share/applications/authenticator.desktop"
        mode: '0600'
        owner: "{{ workstation.user_account }}"
        group: "{{ workstation.user_account }}"
      vars:
        application:
          nodisplay: false
-          exec_cmd: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator"
+          exec_cmd: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator"
          name: "Authenticator"

 - include_tasks: window_manager.yml
--- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml
@ -5,7 +5,7 @@
    key: "{{ workstation.user_account }}"
    split: ":"
  changed_when: false
-  when: getent_passwd is undefined or workstation.user_account not in getent_passwd
+  when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd']

 - name: '[awesomewm] install dependencies'
  become: true
@ -130,14 +130,14 @@
    - name: '[awesomewm] fetch copycats base'
      ansible.builtin.git:
        repo: https://github.com/lcpz/awesome-copycats.git
-        dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome"
+        dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome"
        depth: 1
        recursive: true
        force: false
    - name: '[awesomewm] copy customization'
      ansible.builtin.copy:
        src: ../templates/.config/awesome/
-        dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome"
+        dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome"
        mode: '0640'

 - name: '[home] copy X related configuration'
@ -151,4 +151,4 @@
    - name: '[x11] user .xsession'
      ansible.builtin.copy:
        src: ../templates/.xsession
-        dest: "{{ getent_passwd[workstation.user_account][4] }}/.xsession"
+        dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.xsession"