diff --git a/Makefile b/Makefile index b5a7275..c9827e1 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,8 @@ SHELL := /bin/bash .DEFAULT_GOAL := help +export EDITOR="nano" + ANSIBLE ?= ansible-playbook ANSIBLE_ADHOC ?= ansible INVENTORY ?= inventory/hosts.yml @@ -60,7 +62,7 @@ init: ## Создать inventory, group_vars и .vault_pass из примеро @echo "$(GREEN)Готово. Отредактируйте:$(NC)" @echo " inventory/hosts.yml" @echo " group_vars/all.yml" - @echo " group_vars/hysteria2_servers/vault.yml → затем: make vault-encrypt" + @echo " group_vars/hysteria2_servers/vault.yml → затем: make vault-encrypt" check: ## Проверить синтаксис playbook $(ANSIBLE) playbook.yml --syntax-check $(VAULT_ARGS) diff --git a/README.md b/README.md index 731d64c..ab5329d 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,7 @@ hysteria2_user_passwords: friend: "custom-password" ``` -3. **Автогенерация** — `pwgen -s 40`, если пароль не задан. +3. **Автогенерация** — Ansible `password` lookup (длина `hysteria2_password_length`), если пароль не задан. При `make update` пароли подтягиваются из `output//server-info.yml`, если не указаны в vault/inventory. diff --git a/group_vars/all.yml.example b/group_vars/all.yml.example index 10756c4..1fa091b 100644 --- a/group_vars/all.yml.example +++ b/group_vars/all.yml.example @@ -2,7 +2,7 @@ # Email для Let's Encrypt (ACME) hysteria2_acme_email: admin@example.com -# Длина автогенерируемых паролей (pwgen) +# Длина автогенерируемых паролей VPN-пользователей hysteria2_password_length: 40 # Обновлять систему перед установкой (apt update && apt upgrade) diff --git a/roles/hysteria2/defaults/main.yml b/roles/hysteria2/defaults/main.yml index 2733dfc..bef6f3e 100644 --- a/roles/hysteria2/defaults/main.yml +++ b/roles/hysteria2/defaults/main.yml @@ -9,7 +9,7 @@ hysteria2_acme_email: "" hysteria2_users: [] # Опционально: фиксированные пароли { username: password } -# Пустое значение или отсутствие ключа — автогенерация через pwgen +# Пустое значение или отсутствие ключа — автогенерация на control node (Ansible password lookup) hysteria2_password_length: 40 hysteria2_listen_port: 443 diff --git a/roles/hysteria2/tasks/install.yml b/roles/hysteria2/tasks/install.yml index cd90d5d..8058948 100644 --- a/roles/hysteria2/tasks/install.yml +++ b/roles/hysteria2/tasks/install.yml @@ -11,7 +11,7 @@ ansible.builtin.apt: upgrade: dist -- name: Install curl, micro, pwgen and qrencode +- name: Install curl, micro and qrencode ansible.builtin.apt: name: "{{ _hysteria2_apt_packages }}" state: present @@ -19,7 +19,7 @@ vars: _hysteria2_apt_packages: >- {{ - ['curl', 'micro', 'pwgen'] + ['curl', 'micro'] + (['qrencode'] if hysteria2_generate_qr_png | bool else []) }} diff --git a/roles/hysteria2/tasks/users.yml b/roles/hysteria2/tasks/users.yml index 0ad533c..ab8e2ab 100644 --- a/roles/hysteria2/tasks/users.yml +++ b/roles/hysteria2/tasks/users.yml @@ -60,16 +60,24 @@ - update - export -- name: Generate missing user passwords with pwgen - ansible.builtin.command: - cmd: "pwgen -s {{ hysteria2_password_length }} 1" - register: _hysteria2_pwgen - changed_when: false - when: item.password | length == 0 +- name: Generate missing user passwords + ansible.builtin.set_fact: + _hysteria2_users_with_passwords: "{{ _hysteria2_users_with_passwords | default([]) + [ _entry ] }}" + vars: + _entry: + name: "{{ item.name }}" + password: >- + {{ + lookup( + 'password', + '/dev/null chars=ascii_letters,digits length=' ~ (hysteria2_password_length | string) + ) + if item.password | length == 0 + else item.password + }} loop: "{{ hysteria2_resolved_users }}" loop_control: label: "{{ item.name }}" - index_var: _hysteria2_user_idx tags: - install - update @@ -77,25 +85,7 @@ - name: Apply generated passwords ansible.builtin.set_fact: - hysteria2_resolved_users: "{{ hysteria2_resolved_users | default([]) + [ _entry ] }}" - vars: - _generated: >- - {{ - _hysteria2_pwgen.results[_hysteria2_user_idx].stdout | default('') - if ( - item.password | length == 0 - and not (_hysteria2_pwgen.results[_hysteria2_user_idx].skipped | default(false)) - ) - else item.password - }} - _entry: - name: "{{ item.name }}" - password: "{{ _generated }}" - loop: "{{ hysteria2_resolved_users }}" - loop_control: - label: "{{ item.name }}" - index_var: _hysteria2_user_idx - when: _hysteria2_pwgen is defined + hysteria2_resolved_users: "{{ _hysteria2_users_with_passwords }}" tags: - install - update