Unlike with the 'test' flavour, where the 'test' user has sudo
permissions on the system, with machines set up with the 'gitlab'
flavour which are intended to contact the outside world which, we don't
want that. More importantly though, we must not use the default root
password which is set by the install script on such machines.
Therefore, set the root password to a random one as part of the gitlab
flavour task, thus only allowing SSH pubkey authentication for the root
account.
Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
---
guests/playbooks/update/tasks/gitlab.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/guests/playbooks/update/tasks/gitlab.yml b/guests/playbooks/update/tasks/gitlab.yml
index 9a30140..db27966 100644
--- a/guests/playbooks/update/tasks/gitlab.yml
+++ b/guests/playbooks/update/tasks/gitlab.yml
@@ -62,3 +62,7 @@
enabled: yes
when: ansible_service_mgr != 'systemd'
+- name: Set random root password for security reasons
+ user:
+ name: root
+ password: '{{ lookup("password","/dev/null encrypt=sha512_crypt") }}'
--
2.25.1
