mkpasswd and deploying on the system you are running ansible from

[ispanos]

I've been working on a bash script to install arch and I was thinking that maybe I should consider switching to ansible, just to learn how to use it. I watched a couple of tutorials which were way too basic, but reading your site.yml file gave me a great understanding of how I can make my own. *Thank you!

I run mkpasswd --method=sha-512 1 100 times and got 100 different results. Is that expected? Also on scale from 1-100 how save is it to store hashed passwords in public? ( The second question may be a but stupid, but I have to ask.

Can I use this playbook on the same system I want to configure? In general I know that's possible. I'm just not sure if this is going to be the case for an arch installation.

[jsf9k]

Thanks for the issue @ispanos. It's great to hear that this repository was useful for someone else!

It is expected that mkpasswd --method=sha-512 1 give different results each time you run it. The reason is that the command does not specify the salt to use, so mkpasswd is using a different set of random bytes for the salt each time it is run. If you instead run mkpasswd --method=sha-512 1 11111111, where you have specified 11111111 as the value to use as the salt, then you will get the same result each time. The salt is stored with the hash, and you generally want to let mkpasswd use random values just to mix things up a little more.

I think it's fairly safe to store SHA-512 password hashes in public. The whole idea behind cryptographic hash functions is that they be easy to compute but extremely difficult to reverse. I think SHA-512 hashes are still sufficiently secure that only a nation-state would potentially have the resources to crack it. If I had a particularly sensitive system I wouldn't store the hashes in public, but in this case the convenience far outweighs the risk for me.

You could probably use this playbook on the same system that you want to configure. It might be a little tricky since you have to boot via the Arch install media, then reboot into your installation once you set everything up, but it should be possible.

[ispanos]

Thanks for explaining things. I don't suppose there is an AUR wrapper module to use for AUR packages. I haven't spend much time thinking about it, but your playbook, as I understand it, isn't supposed to be used as-is. My script (doen't have LVM/LUKS functionality yet) is made in a way that anyone can use it by changing 2 variables in line 20-21. The rest is handled automatically or via prompts. I've done it this way cause I can use in on any new computer, without having to prepare anything ahead of time. I even have a solution in case I don't want to use Network Manager.

I was thinking that the same could be done with a small python script to create inventory.yml and the password file. In addition to that, maybe this way you can add support for not UEFI systems. Do you think it's possible, or way too much work to be worth doing? I'm asking so I can save my self some time before I realize that its not worth doing it this way?

[jsf9k]

There aren't any built-in Ansible modules for dealing with the AUR, but a quick search turned up a few in GitHub:

• kewlfft/ansible-aur
• austinhyde/ansible-packer

You're correct that my playbook requires an inventory file with a few variables defined. And it does not support non-UEFI systems right now since I don't have any here at home. The changes you describe aren't something that I need, but they seem reasonable, so feel free to fork or clone the repo and make it your own if you want.