setup - added password-randomizer script, fixes

setup/ReadMe.md

@@ -17,7 +17,22 @@ To install the pre-configured raspberry image you need to:
 * Download the image: <a href="https://drive.google.com/file/d/1MIoagaB4rKUwSbUtUW5E5ZUCCDU3k30S/view?usp=sharing">Google Drive</a>
 * Download and install the <a href="https://www.raspberrypi.com/software/">Raspberry Pi Imager</a> software on your computer (_or any other tool to flash images on a sd card_)
 * Flash the image on a sd card or <a href="https://docs.growautomation.eu/en/latest/setup/raspberry.html#ssd">ssd</a>
-* <a href="https://docs.growautomation.eu/en/latest/setup/find.html">Find the device on your network</a> and start using it!
+* <a href="https://docs.growautomation.eu/en/latest/setup/find.html">Find the device on your network</a>
+* Connect to the device over ssh => the default **password** is: '**Gr0w21736!**'
+* Run the password-randomization-script for more security:
+  * ```bash
+    sudo bash /var/lib/ga/setup/randomize_pwds.sh
+    ```
+  * After that it will ask you for a 'BECOME password' => this is the password you used to connect to the device (_see above_)!
+
+* Get the configured passwords:
+  * ```bash
+    sudo cat /etc/.ga_setup
+    # sudo rm /etc/.ga_setup  # to delete the file
+    ```
+    The '**user**' password is for the web-ui login!
+  * **You should delete this file** after you saved your passwords safely!
+* Start using it!
 
 
 ----
@@ -72,15 +87,15 @@ Just put it in the background, change what you want and bring the setup back to
 
 Type 'yes' and press enter to start the setup tasks.
 
-After that it will ask you for a 'BECOME password' => you need to **provide the password for a user with root privileges** on the target system!
+After that it will ask you for a 'BECOME password' => you need to **provide the password for a user with root privileges** on the target system! (_Default = 'raspberry'_)
 
 ##### Post install
 
-If you haven't set custom passwords -> you can find the randomly generated ones like this:
+If you haven't set custom passwords -> you can find the randomly generated one's like this:
 
 ```bash
-cat /etc/.ga_setup
-# rm /etc/.ga_setup  # to delete the file
+sudo cat /etc/.ga_setup
+# sudo rm /etc/.ga_setup  # to delete the file
 ```
 
 **You should delete this file** after you saved your passwords safely!

setup/pb_creds.yml

@@ -0,0 +1,39 @@
+---
+
+- name: Changing GrowAutomation Credentials
+  hosts: all
+  become: true
+  vars_files:
+    - './vars/main.yml'
+    - './vars/hardcoded.yml'
+  tasks:
+    # pre tasks
+    - name: GA | Setup | Installing script dependencies
+      ansible.builtin.apt:
+        name: "{{ ga_script_packages }}"
+        state: present
+
+    # password tasks
+    - name: GA | Setup | Moving old password file
+      ansible.builtin.command: "mv {{ ga_random_pwd_file }} {{ ga_random_pwd_file }}_{{ ansible_date_time.iso8601_basic_short }}"
+
+    - name: GA | Setup | Generating passwords
+      ansible.builtin.import_role:
+        name: setup
+        tasks_from: 'write_pwds.yml'
+
+    - name: GA | Setup | Updating passwords
+      ansible.builtin.import_role:
+        name: setup
+        tasks_from: 'update_pwds.yml'
+
+    # cleanup
+    - name: GA | Setup | Cleaning up temporary password files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ ga_tmp_pwd_file_sql_core }}"
+        - "{{ ga_tmp_pwd_file_sql_web }}"
+        - "{{ ga_tmp_pwd_file_django_user }}"
+        - "{{ ga_tmp_pwd_file_django_guest }}"

setup/pb_setup.yml

@@ -54,7 +54,7 @@
 
     - name: GA | Setup | Starting core service
       ansible.builtin.systemd:
-        name: 'ga_core.service'
+        name: "{{ ga_core_service }}"
         state: started
 
     # basic system setup

setup/randomize_pwds.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+set -e
+
+# GrowAutomation script to update credentials
+
+# just copy this script to the target system and execute it
+
+# written for debian/ubuntu
+# config changes:
+#   ga-settings can be changed by modifying the file ./vars/main.yml (before you run the installation script)
+#   if you want to install it on a remote system =>
+#     1. add your target host as an ansible host under './inventories/hosts.yml' and './inventories/host_vars/$HOSTNAME.yml' (you can copy the 'tmpl' host)
+#     2. run this script with the same host as argument (must be exactly the same as in the inventory)
+
+
+# package installation
+echo 'deb http://ppa.launchpad.net/ansible/ansible/ubuntu focal main' > /etc/apt/sources.list.d/ansible.list
+apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
+apt update
+apt install python3 python3-requests git --yes
+apt-get install ansible --yes
+
+# provided config
+if [ -z $1 ]; then
+  TARGET_VERSION=`python3 <<EOF
+from requests import get
+print(get('https://api.github.com/repos/superstes/growautomation/tags').json()[0]['name'])
+EOF`
+
+else
+  TARGET_VERSION=$1
+fi
+
+if [ -z $2 ]; then
+  TARGET_HOST='localhost'
+else
+  TARGET_HOST=$2
+fi
+
+if [ $TARGET_HOST != 'localhost' ]; then
+  apt install sshpass --yes
+fi
+
+# downloading source code
+SETUP_DIR="/tmp/ga_$(date '+%Y-%m-%d')"
+if [ ! -d "$SETUP_DIR" ]
+then
+  git clone https://github.com/superstes/growautomation.git --depth 1 ${SETUP_DIR} --branch ${TARGET_VERSION}
+fi
+cd $SETUP_DIR/setup
+
+# installing ansible dependencies
+rm -rf /usr/lib/python3/dist-packages/ansible_collections  # removing unused ansible collections (~500MB..)
+ansible-galaxy collection install -r requirements.yml
+ansible-galaxy install -r requirements.yml --roles-path $SETUP_DIR/setup/roles
+
+# running ansible playbook
+ansible-playbook -K -i inventories/hosts.yml pb_creds.yml --limit ${TARGET_HOST} --extra-vars "ga_setup_clone_dir=${SETUP_DIR}" --extra-vars "ga_setup_release=${TARGET_VERSION}"

setup/roles/core/tasks/main.yml

@@ -31,9 +31,9 @@
     mode: "{{ item.mode }}"
     recurse: yes
   loop:
-  - {path: "{{ ga_core_path }}", mode: 0755}
-  - {path: "{{ ga_core_path_log }}", mode: 0775}
-  - {path: "{{ ga_core_path_venv }}", mode: 0750}
+  - {path: "{{ ga_core_path }}", mode: '0755'}
+  - {path: "{{ ga_core_path_log }}", mode: '0775'}
+  - {path: "{{ ga_core_path_venv }}", mode: '0750'}
 
 - name: GA | Core | Copying core-code
   ansible.posix.synchronize:
@@ -43,6 +43,13 @@
     rsync_path: 'sudo rsync'
     rsync_opts: ['--exclude=*.cnf', '--exclude=*.key', '--exclude=__pycache__/']
 
+- name: GA | Core | Copying setup-scripts
+  ansible.posix.synchronize:
+    src: "{{ ga_setup_clone_dir }}/setup"
+    dest: "{{ ga_core_path }}/"
+    recursive: yes
+    rsync_path: 'sudo rsync'
+
 - name: GA | Core | Setting privileges for core code
   ansible.builtin.file:
     path: "{{ ga_core_path }}/core"
@@ -95,7 +102,7 @@
 - name: GA | Core | Adding core service file
   ansible.builtin.template:
     src: 'templates/lib/systemd/system/ga_core.service.j2'
-    dest: '/lib/systemd/system/ga_core.service'
+    dest: "/lib/systemd/system/{{ ga_core_service }}"
 
 - name: GA | Core | Configuring update prerequisits
   ansible.builtin.import_tasks: update.yml
@@ -106,7 +113,7 @@
 
 - name: GA | Core | Enabling service
   ansible.builtin.systemd:
-    name: 'ga_core.service'
+    name: "{{ ga_core_service }}"
     enabled: yes
 
 - name: GA | Configure device support

setup/roles/core/tasks/update.yml

@@ -19,7 +19,7 @@
 - name: GA | Core | Update | Adding update service file
   ansible.builtin.template:
     src: 'templates/lib/systemd/system/ga_update.service.j2'
-    dest: '/lib/systemd/system/ga_update.service'
+    dest: "/lib/systemd/system/{{ ga_update_service }}"
 
 - name: GA | Core | Update | Copying update-code
   ansible.posix.synchronize:

setup/roles/core/templates/lib/systemd/system/ga_core.service.j2

@@ -2,7 +2,7 @@
 Description=GrowAutomation Service
 Documentation=https://docs.growautomation.eu
 Documentation=https://github.com/superstes/growautomation
-After=mariadb.service
+After={{ ga_sql_service }}
 StartLimitBurst=10
 StartLimitIntervalSec=630
 

setup/roles/core/templates/lib/systemd/system/ga_update.service.j2

@@ -2,7 +2,7 @@
 Description=GrowAutomation Update Service
 Documentation=https://docs.growautomation.eu
 Documentation=https://github.com/superstes/growautomation
-After=mariadb.service
+After={{ ga_sql_service }}
 
 [Service]
 Type=oneshot

setup/roles/setup/files/tmp/update_core_config.py

@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+# script to update the sql secret in the core config-file
+
+from sys import argv as sys_argv
+
+secret = sys_argv[1]
+
+from core.config.object.data.file import GaDataFile
+
+ConfigFile = GaDataFile()
+config = ConfigFile.get()
+config.update({'sql_secret': secret})
+ConfigFile.reset(data=config)

setup/roles/setup/tasks/setup_database.yml

@@ -38,8 +38,8 @@
           letsencrypt:
             email: "{{ ga_web_ssl_letsencrypt_mail }}"
           env_pythonpath: ["{{ ga_core_path }}"]
-          migration_pre_tasks: ['systemctl stop ga_core.service']
-          migration_post_tasks: ['systemctl start ga_core.service']
+          migration_pre_tasks: ["systemctl stop {{ ga_core_service }}"]
+          migration_post_tasks: ["systemctl start {{ ga_core_service }}"]
           python_modules:
             present: "{{ ga_django_mods }}"
           database:
@@ -59,6 +59,7 @@
     name: "{{ ga_sql_user_core }}"
     password: "{{ ga_sql_pwd_core }}"
     priv: "{{ ga_sql_db + '.*:ALL' }}"
+    state: 'present'
     login_unix_socket: "{{ ga_sql_socket }}"
   no_log: true
   when: