search

Moonshine-IDE / Super.Human.Installer

Super.Human.Installer helps you install the latest and greatest HCL Domino technologies easily.
https://superhumaninstaller.com/
Other
2 stars 0 forks source link

Remove hardcoded passwords from Hosts.template.yml #114

Open piotrzarzycki21 opened 2 months ago

piotrzarzycki21 commented 2 months ago

There are some hardcoded passwords in Hosts.template.yml file - they should be removed and configure by the user during process of server creation.

JoelProminic commented 2 months ago

If we are going to do this, then we should also regenerate the public/private key pair from the template. Currently, password authentication is not enabled for SSH/SCP, and we use private key authentication instead. This could change based on our implementation of #113, but I think it is worth addressing this key. The key could be generated once for the user, and saved in the SHI application settings.

Also note the passwords for the Demo Admin and Dev User. We should consider whether we would rather keep the simple passwords here for the sandbox servers, though.

JoelProminic commented 2 months ago

@JustinProminic suggested that we generate the password when Super.Human.Installer is first opened (and allow manual changes). This password will be in plaintext in Hosts.yml, so we don't want users reusing passwords from elsewhere and then finding it in plaintext later.

MarkProminic commented 1 month ago

It is now possible for SHI to update the following variables with the latest hcl_domino_standalone_provisioner:

vagrant_user_pass: 'AUTOGENERATEDPASS'
vagrant_insert_key: true

https://developer.hashicorp.com/vagrant/docs/vagrantfile/ssh_settings#config-ssh-insert_key https://developer.hashicorp.com/vagrant/docs/vagrantfile/ssh_settings#config-ssh-password

However the gotcha, is that the new SSH key is generated on the VM, not the Host, so I had to add a section to post-provisioner ruby section, that updates the key:

https://github.com/STARTcloud/core_provisioner/blob/30b2856e58c0b297877114fdd06dc75a85716499/Hosts.rb#L337-L339

That works in conjunction with this role: https://github.com/STARTcloud/startcloud_roles/blob/main/roles/lockdown/meta/main.yml

If you are worried about passing it to me in plain text, I can always drop the password_hash('sha512') function, and you can pass it to the variable via yourself hashed like that.

https://github.com/STARTcloud/startcloud_roles/blob/c2b6fcb8db11eed9d1995b241c91294e96f98495/roles/lockdown/tasks/main.yml#L15

This role is should always be the last role called, as Ansible doesn't like the key being changed on it.

If we run into issues, we can simply append the key instead of replacing it, in the authenticated_keys file, and have both, but in the long run.

Side note, should we also change the default password for the domino_admin_notes_id_password: variable? its currently password, if so, should it match the above password? This password variable is used to create the id, and is displayed in the welcome page. I have no use for it anywhere else so its up to you as to what you want this to be.

JoelProminic commented 1 month ago

@MarkProminic added some provisioner/role updates in v0.1.23: #118