Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Enhance the crypto-policy stuff to actually set the policy

Browse source 
Just writing a config file isn't enough, apparently. We need to
really call update-crypto-policies. This attempts to do so, but
only if it's really necessary, by using some handy check args.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2020-10-29 11:12:01 -07:00
parent 1a1992462a
commit bb286d8099
1 changed files with 21 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

28
roles/base/tasks/crypto-policies.yml
View file

@ -1,10 +1,24 @@
- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
template:
dest: /etc/crypto-policies/config
src: crypto-policies-config
owner: root
mode: 644
when: ansible_distribution_major_version|int >= 33
- name: Check current crypto-policy
command: "update-crypto-policies --show"
register: currentcryptopolicy
failed_when: "1 != 1"
changed_when: "1 != 1"
tags:
- crypto-policies
- base/crypto-policies
- name: Check if policy is applied
command: "update-crypto-policies --is-applied"
register: cryptopolicyapplied
failed_when: "1 != 1"
changed_when: "1 != 1"
tags:
- crypto-policies
- base/crypto-policies
- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
command: "update-crypto-policies --set LEGACY"
when: "(ansible_distribution_major_version|int >= 33) and (currentcryptopolicy.stdout.find("LEGACY") == -1 or cryptopolicyapplied.rc != 0)"
tags:
- crypto-policies
- base/crypto-policies