Open piotrzarzycki21 opened 2 months ago
If we are going to do this, then we should also regenerate the public/private key pair from the template. Currently, password authentication is not enabled for SSH/SCP, and we use private key authentication instead. This could change based on our implementation of #113, but I think it is worth addressing this key. The key could be generated once for the user, and saved in the SHI application settings.
Also note the passwords for the Demo Admin and Dev User. We should consider whether we would rather keep the simple passwords here for the sandbox servers, though.
@JustinProminic suggested that we generate the password when Super.Human.Installer is first opened (and allow manual changes). This password will be in plaintext in Hosts.yml, so we don't want users reusing passwords from elsewhere and then finding it in plaintext later.
It is now possible for SHI to update the following variables with the latest hcl_domino_standalone_provisioner:
vagrant_user_pass: 'AUTOGENERATEDPASS'
vagrant_insert_key: true
https://developer.hashicorp.com/vagrant/docs/vagrantfile/ssh_settings#config-ssh-insert_key https://developer.hashicorp.com/vagrant/docs/vagrantfile/ssh_settings#config-ssh-password
However the gotcha, is that the new SSH key is generated on the VM, not the Host, so I had to add a section to post-provisioner ruby section, that updates the key:
That works in conjunction with this role: https://github.com/STARTcloud/startcloud_roles/blob/main/roles/lockdown/meta/main.yml
If you are worried about passing it to me in plain text, I can always drop the password_hash('sha512') function, and you can pass it to the variable via yourself hashed like that.
This role is should always be the last role called, as Ansible doesn't like the key being changed on it.
If we run into issues, we can simply append the key instead of replacing it, in the authenticated_keys file, and have both, but in the long run.
Side note, should we also change the default password for the domino_admin_notes_id_password: variable? its currently password
, if so, should it match the above password? This password variable is used to create the id, and is displayed in the welcome page. I have no use for it anywhere else so its up to you as to what you want this to be.
@MarkProminic added some provisioner/role updates in v0.1.23: #118
There are some hardcoded passwords in Hosts.template.yml file - they should be removed and configure by the user during process of server creation.