Render passwords dynamically

README.md

@@ -34,21 +34,9 @@ permissions to read/write it: `chmod 600 id_rsa`!**
 Users are stored in [encrypted users.yml file](inventory/group_vars/all/users.yml) with the following schema:
 ```yaml
 users:
-  user1_name:
-    - uuid: user1_uuid1
-      secret: user1_secret1
-    - uuid: user1_uuid2
-      secret: user1_secret2
-  user2_name:
-    - uuid: user2_uuid1
-      secret: user2_secret1
-    - uuid: user2_uuid2
-      secret: user2_secret2
-    - uuid: user2_uuid1
-      secret: user2_secret3
-  user3_name:
-    - uuid: user3_uuid1
-      secret: user3_secret1
+  user1_name: user1_uuid
+  user2_name: user2_uuid
+  user3_name: user3_uuid
 ```
 
 To create a new user, you should:

inventory/group_vars/all/vars.yml

@@ -4,7 +4,7 @@
 servers:
   - uuid: 7e24bc5f-3495-4773-a60c-0cf748383aa9
     # domain of server that will be put into config
-    domain: !vault |
+    host: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       61373932633565623362373062346266313537623233353166333735646463363564616630386237
       3731386535333063376264653835363236663633643531660a363263383061633234393136623862
@@ -13,6 +13,6 @@ servers:
       3564
     remarks: "Server #1"
     # port of shadowsocks to be exposed and used publicly
-    ss_port: 443
+    port: 443
     # cipher to use in shadowsocks
-    ss_cipher: chacha20-ietf-poly1305
+    method: chacha20-ietf-poly1305

roles/frontman/tasks/main.yml

@@ -8,7 +8,7 @@
 
 - set_fact:
     static_root_local: "/tmp/{{ static_folder }}"
-    instruction_filename: "{{ ansible_date_time.iso8601_micro | to_uuid }}.html"
+    instruction_filename: "{{ lookup('community.general.random_string', length=32, special=False) }}.html"
 
 - set_fact:
     instruction_url: "https://{{ frontman_domain }}:{{ frontman_port }}/{{ instruction_filename }}"
@@ -45,21 +45,17 @@
   include_vars:
     file: inventory/group_vars/all/users.yml
 
-- set_fact:
-    clients: "{{ users | dict2items | map(attribute='value') | flatten }}"
-
 - name: Render configs
   delegate_to: localhost
   become: false
   template:
     src: config.json.j2
-    dest: "{{ static_root_local }}/{{ item.uuid }}"
-  with_items: "{{ clients }}"
+    dest: "{{ static_root_local }}/{{ item.value }}"
+  with_items: "{{ users | dict2items }}"
   loop_control:
     index_var: loop_index
   vars:
-    client: "{{ item }}"
-    prefix: "POST"
+    user_uuid: "{{ item.value }}"
     default_server: "{{ servers[loop_index % (servers | length)] }}"
 
 - name: Synchronize local static root with remote host

roles/frontman/templates/URIs.txt.j2

@@ -1,7 +1,3 @@
-{% for user in users.keys() %}
-{{ loop.index }}. {{ user }}:
-{% for config in users[user] %}
-  {{ loop.index }}. https://{{ frontman_domain }}:{{ frontman_port }}#{{ config.uuid }}
-{% endfor %}
-
+{% for user in users | dict2items %}
+{{ loop.index }}. {{ user.key }}: https://{{ frontman_domain }}:{{ frontman_port }}#{{ user.value }}
 {% endfor %}

roles/frontman/templates/config.json.j2

@@ -5,24 +5,24 @@
             {
                 "id": "{{ server.uuid }}",
                 "remarks": "{{ server.remarks }}",
-                "server": "{{ server.domain }}",
-                "server_port": {{ server.ss_port }},
-                "password": "{{ client.secret }}",
-                "method": "{{ server.ss_cipher }}"
+                "server": "{{ server.host }}",
+                "server_port": {{ server.port }},
+                "password": "{{ (user_uuid + server.port | string + server.method + server.uuid | string) | hash('sha512') }}",
+                "method": "{{ server.method }}"
             }
             {% if not loop.last %}
             ,
             {% endif %}
         {% endfor %}
     ],
 
-    "instruction_url": "https://{{ frontman_domain }}:{{ frontman_port }}/{{ instruction_filename }}#{{ client.uuid }}",
+    "instruction_url": "https://{{ frontman_domain }}:{{ frontman_port }}/{{ instruction_filename }}#{{ user_uuid }}",
 
     "comment": "the fields below are specifically for Outline client as it does not support the latest version of SIP008",
 
-    "method": "{{ default_server.ss_cipher }}",
-    "password": "{{ client.secret }}",
-    "prefix": "{{ prefix }}",
-    "server":"{{ default_server.domain }}",
-    "server_port":"{{ default_server.ss_port }}"
+    "method": "{{ default_server.method }}",
+    "password": "{{ (user_uuid + default_server.port | string + default_server.method + default_server.uuid | string) | hash('sha512') }}",
+    "prefix": "POST",
+    "server":"{{ default_server.host }}",
+    "server_port":"{{ default_server.port }}"
 }

roles/outline/templates/config.yml.j2

@@ -1,9 +1,7 @@
 keys:
-{% for ss_username in users.keys() %}
-{% for ss_client in users[ss_username] %}
-  - cipher: {{ server.ss_cipher }}
-    id: '{{ ss_username }}-{{ loop.index }}'
-    port: {{ server.ss_port }}
-    secret: {{ ss_client.secret }}
-{% endfor %}
+{% for user in users | dict2items %}
+  - cipher: {{ server.method }}
+    id: {{ user.key }}
+    port: {{ server.port }}
+    secret: {{ (user.value + server.port | string + server.method + server.uuid | string) | hash('sha512') }}
 {% endfor %}

roles/prometheus/templates/prometheus.service.j2

@@ -5,7 +5,7 @@ After=outline.service
 [Service]
 User={{ user }}
 WorkingDirectory=/home/{{ user }}
-ExecStart=/home/{{ user }}/{{ downloads[arch.stdout].directory }}/{{ executable_name }} --config.file /home/{{ user }}/config.yml --web.listen-address 0.0.0.0:{{ prometheus_port }} --web.external-url https://{{ server.domain }}:{{ prometheus_port }} --web.config.file /home/{{ user }}/web-config.yml --storage.tsdb.retention.time {{ retention }}
+ExecStart=/home/{{ user }}/{{ downloads[arch.stdout].directory }}/{{ executable_name }} --config.file /home/{{ user }}/config.yml --web.listen-address 0.0.0.0:{{ prometheus_port }} --web.external-url https://{{ server.host }}:{{ prometheus_port }} --web.config.file /home/{{ user }}/web-config.yml --storage.tsdb.retention.time {{ retention }}
 Restart=always
 
 [Install]