Generate Wazuh password and encrypt the file at the end.

Author: MaxBed4d

etc/kayobe/ansible/scripts/pwgen.py

@@ -0,0 +1,41 @@
+import random
+import string
+import re
+
+# The password requirements required by Wazuh (wazuh/framework/wazuh/security.py)
+valid_password = re.compile(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$')
+
+# Generate a random password containg at least one of each: 
+# special character, digit, lowercase letter, uppercase letter
+def pw_gen(pw_len):
+    random_pass = ([random.choice("@$!%*?&-_"),
+                    random.choice(string.digits),
+                    random.choice(string.ascii_lowercase),
+                    random.choice(string.ascii_uppercase),
+                    ]
+                    + [random.choice(string.ascii_lowercase
+                                    + string.ascii_uppercase
+                                    + "@$!%*?&-_"
+                                    + string.digits) for i in range(pw_len)])
+
+    random.shuffle(random_pass)
+    random_pass = ''.join(random_pass)
+    return random_pass
+
+# Check if the generated password meets the requirements
+def check_user_password(password):
+    if valid_password.match(password):
+        return True
+    else:
+        return False
+
+# Generate a password
+random_password = pw_gen(30)
+
+# Check if the generated password meets the requirements
+# if not, keep generating a new password until it does
+while not check_user_password(random_password):
+    #print("Password does not meet the requirements, creating a new one...")
+    random_password = pw_gen(30)
+else:
+    print(random_password)

etc/kayobe/ansible/templates/wazuh-secrets.yml.j2

@@ -7,7 +7,7 @@ secrets_wazuh:
   # Strengthen default wazuh api user pass
   wazuh_api_users:
     - username: "wazuh"
-      password: "{{ secrets_wazuh.wazuh_api_users[0].password | wazuh_password }}"
+      password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(wazuh_password) }}"
   # OpenSearch 'admin' user pass
   opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}"
   # OpenSearch 'kibanaserver' user pass

etc/kayobe/ansible/wazuh-secrets.yml

@@ -15,61 +15,27 @@
         state: directory
 
     - name: Generate a random password which meets the Wazuh password requirements
-      cmd: python3
-      stdin: |
-        import random
-        import string
-        import re
-
-        # The password requirements required by Wazuh (wazuh/framework/wazuh/security.py)
-        valid_password = re.compile(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$')
-
-        # Generate a random password containg at least one of each: 
-        # special character, digit, lowercase letter, uppercase letter
-        def pw_gen(pw_len):
-            random_pass = ([random.choice("@$!%*?&-_"),
-                              random.choice(string.digits),
-                              random.choice(string.ascii_lowercase),
-                              random.choice(string.ascii_uppercase),
-                              ]
-                              + [random.choice(string.ascii_lowercase
-                                              + string.ascii_uppercase
-                                              + "@$!%*?&-_"
-                                              + string.digits) for i in range(pw_len)])
-
-            random.shuffle(random_pass)
-            random_pass = ''.join(random_pass)
-            return random_pass
-
-        # Check if the generated password meets the requirements
-        def check_user_password(password):
-          if valid_password.match(password):
-              return True
-          else:
-              return False
-        
-        # Generate a password
-        random_pass = pw_gen(30)
-
-        # Check if the generated password meets the requirements
-        # if not, keep generating a new password until it does
-        while not check_user_password(random_pass):
-            random_pass = pw_gen(30)
-          
-      register: random_pass
+      no_log: True
+      command:  
+        cmd: python3 scripts/pwgen.py
+      register: random_password
 
     - name: Store the valid password
+      no_log: True
       set_fact:
-        wazuh_password: "{{ random_pass }}"
+        wazuh_password: "{{ random_password.stdout }}"
 
     - name: Template new secrets
+      no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
-      notify: Please encrypt keys
 
-  handlers:
-    - name: Please encrypt keys
-      debug:
-        msg: >-
-          Please encrypt the keys using Ansible Vault.
+    - name: In-place encrypt wazuh-secrets
+      copy:
+        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+        dest: "{{ wazuh_secrets_path }}"
+        decrypt: false
+      vars:
+       ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+