diff --git a/Makefile b/Makefile index b5a7275..c9827e1 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,8 @@ SHELL := /bin/bash .DEFAULT_GOAL := help +export EDITOR="nano" + ANSIBLE ?= ansible-playbook ANSIBLE_ADHOC ?= ansible INVENTORY ?= inventory/hosts.yml @@ -60,7 +62,7 @@ init: ## Создать inventory, group_vars и .vault_pass из примеро @echo "$(GREEN)Готово. Отредактируйте:$(NC)" @echo " inventory/hosts.yml" @echo " group_vars/all.yml" - @echo " group_vars/hysteria2_servers/vault.yml → затем: make vault-encrypt" + @echo " group_vars/hysteria2_servers/vault.yml → затем: make vault-encrypt" check: ## Проверить синтаксис playbook $(ANSIBLE) playbook.yml --syntax-check $(VAULT_ARGS) diff --git a/README.md b/README.md index 1ce4e5b..62ff23b 100644 --- a/README.md +++ b/README.md @@ -195,7 +195,7 @@ hysteria2_user_passwords: friend: "custom-password" ``` -3. **Автогенерация** — `pwgen -s 40`, если пароль не задан. +3. **Автогенерация** — Ansible `password` lookup (длина `hysteria2_password_length`), если пароль не задан. При `make update` пароли подтягиваются из `output//server-info.yml`, если не указаны в vault/inventory. @@ -213,7 +213,7 @@ vault_hysteria2_obfs_passwords: ```yaml ``` -2. **Авто:** `pwgen -s 32` при первой установке +2. **Авто:** Ansible `password` lookup (`hysteria2_obfs_password_length`) при первой установке 3. **При update:** загружается из `output//server-info.yml` > **Важно:** obfs-пароль на сервере и клиенте должен **совпадать**. При `make update` без vault пароль сохраняется из предыдущего экспорта. diff --git a/group_vars/all.yml.example b/group_vars/all.yml.example index 167cb26..a134490 100644 --- a/group_vars/all.yml.example +++ b/group_vars/all.yml.example @@ -2,7 +2,7 @@ # Email для Let's Encrypt (ACME) hysteria2_acme_email: admin@example.com -# Длина автогенерируемых паролей (pwgen) +# Длина автогенерируемых паролей VPN-пользователей hysteria2_password_length: 40 # Обновлять систему перед установкой (apt update && apt upgrade) @@ -23,5 +23,5 @@ hysteria2_listen_port: 443 # Открывать порты в ufw ({{ hysteria2_listen_port }}/tcp и /udp) hysteria2_configure_firewall: true -# Длина пароля Salamander obfs (pwgen) +# Длина пароля Salamander obfs # hysteria2_obfs_password_length: 32 diff --git a/roles/hysteria2/defaults/main.yml b/roles/hysteria2/defaults/main.yml index e795a1c..05e1d78 100644 --- a/roles/hysteria2/defaults/main.yml +++ b/roles/hysteria2/defaults/main.yml @@ -14,7 +14,7 @@ hysteria2_users: [] # Опционально: фиксированные пароли { username: password } # Пароль обфускации Salamander (общий для сервера). -# Пусто — автогенерация через pwgen или загрузка из output//server-info.yml +# Пусто — автогенерация на control node (Ansible password lookup) или загрузка из output//server-info.yml hysteria2_obfs_password: "" hysteria2_password_length: 40 diff --git a/roles/hysteria2/tasks/install.yml b/roles/hysteria2/tasks/install.yml index cd90d5d..8058948 100644 --- a/roles/hysteria2/tasks/install.yml +++ b/roles/hysteria2/tasks/install.yml @@ -11,7 +11,7 @@ ansible.builtin.apt: upgrade: dist -- name: Install curl, micro, pwgen and qrencode +- name: Install curl, micro and qrencode ansible.builtin.apt: name: "{{ _hysteria2_apt_packages }}" state: present @@ -19,7 +19,7 @@ vars: _hysteria2_apt_packages: >- {{ - ['curl', 'micro', 'pwgen'] + ['curl', 'micro'] + (['qrencode'] if hysteria2_generate_qr_png | bool else []) }} diff --git a/roles/hysteria2/tasks/obfs.yml b/roles/hysteria2/tasks/obfs.yml index 0ed50f2..663e150 100644 --- a/roles/hysteria2/tasks/obfs.yml +++ b/roles/hysteria2/tasks/obfs.yml @@ -42,24 +42,17 @@ - update - export -- name: Generate Salamander obfs password with pwgen - ansible.builtin.command: - cmd: "pwgen -s {{ hysteria2_obfs_password_length }} 1" - register: _hysteria2_obfs_pwgen - changed_when: false +- name: Generate Salamander obfs password + ansible.builtin.set_fact: + hysteria2_obfs_password: >- + {{ + lookup( + 'password', + '/dev/null chars=ascii_letters,digits length=' ~ (hysteria2_obfs_password_length | string) + ) + }} when: hysteria2_obfs_password | length == 0 tags: - install - update - export - -- name: Apply generated Salamander obfs password - ansible.builtin.set_fact: - hysteria2_obfs_password: "{{ _hysteria2_obfs_pwgen.stdout }}" - when: - - _hysteria2_obfs_pwgen is defined - - not (_hysteria2_obfs_pwgen.skipped | default(false)) - tags: - - install - - update - - export diff --git a/roles/hysteria2/tasks/users.yml b/roles/hysteria2/tasks/users.yml index 0ad533c..ab8e2ab 100644 --- a/roles/hysteria2/tasks/users.yml +++ b/roles/hysteria2/tasks/users.yml @@ -60,16 +60,24 @@ - update - export -- name: Generate missing user passwords with pwgen - ansible.builtin.command: - cmd: "pwgen -s {{ hysteria2_password_length }} 1" - register: _hysteria2_pwgen - changed_when: false - when: item.password | length == 0 +- name: Generate missing user passwords + ansible.builtin.set_fact: + _hysteria2_users_with_passwords: "{{ _hysteria2_users_with_passwords | default([]) + [ _entry ] }}" + vars: + _entry: + name: "{{ item.name }}" + password: >- + {{ + lookup( + 'password', + '/dev/null chars=ascii_letters,digits length=' ~ (hysteria2_password_length | string) + ) + if item.password | length == 0 + else item.password + }} loop: "{{ hysteria2_resolved_users }}" loop_control: label: "{{ item.name }}" - index_var: _hysteria2_user_idx tags: - install - update @@ -77,25 +85,7 @@ - name: Apply generated passwords ansible.builtin.set_fact: - hysteria2_resolved_users: "{{ hysteria2_resolved_users | default([]) + [ _entry ] }}" - vars: - _generated: >- - {{ - _hysteria2_pwgen.results[_hysteria2_user_idx].stdout | default('') - if ( - item.password | length == 0 - and not (_hysteria2_pwgen.results[_hysteria2_user_idx].skipped | default(false)) - ) - else item.password - }} - _entry: - name: "{{ item.name }}" - password: "{{ _generated }}" - loop: "{{ hysteria2_resolved_users }}" - loop_control: - label: "{{ item.name }}" - index_var: _hysteria2_user_idx - when: _hysteria2_pwgen is defined + hysteria2_resolved_users: "{{ _hysteria2_users_with_passwords }}" tags: - install - update