From 7884ac47cf9d7826ae9a54dd4315681ad3ea8c3b Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Tue, 21 Oct 2025 11:33:44 -0400 Subject: [PATCH] Refactored git configuration tasks, converting them to lockdown role tasks, and replaced playbook prompt variables with lockdown role variabls --- .ansible/roles/lockdown/defaults/main.yml | 2 + .ansible/roles/lockdown/tasks/git.yml | 147 +++++++++---------- playbooks/init_login.yml | 165 +++------------------- 3 files changed, 96 insertions(+), 218 deletions(-) diff --git a/.ansible/roles/lockdown/defaults/main.yml b/.ansible/roles/lockdown/defaults/main.yml index 4cdbbee..a8728d4 100644 --- a/.ansible/roles/lockdown/defaults/main.yml +++ b/.ansible/roles/lockdown/defaults/main.yml @@ -8,7 +8,9 @@ create_users: ssh_pubkey_filename_pattern: '.*\.pub' include_root_lock: yes gpg_private_keys_origin_host: localhost +ssh_keypairs_origin_host: localhost gpg_origin_private_keyids: [] # @NOTE list of gpg key ids from origin or source server gpg_origin_private_key_passwords: "{{ vaulted_gpg_origin_private_key_passwords }}" # @NOTE list of gpg key passwords from origin or source server +ssh_origin_keypairs_filenames: [] # @NOTE list of basenames (filename sans extension) of SSH keypairs git_config_name: ~ # @NOTE: has equivalent field under lockdown role vars example YAML file, but different value git_config_email: ~ # @NOTE: has equivalent field under lockdown role vars example YAML file, but different value \ No newline at end of file diff --git a/.ansible/roles/lockdown/tasks/git.yml b/.ansible/roles/lockdown/tasks/git.yml index 97d5678..98e4676 100644 --- a/.ansible/roles/lockdown/tasks/git.yml +++ b/.ansible/roles/lockdown/tasks/git.yml @@ -1,4 +1,4 @@ -# 'preferred_gpg_signing_key' -> 'gpg_preferred_signing' +# 'preferred_signing_key' -> 'gpg_preferred_signing' # 'gpg_or_ssh_git_signing' -> 'git_signing_key_type' - name: Install git package ansible.builtin.package: @@ -22,102 +22,107 @@ when: git_signing_key_type == "gpg" block: - name: Configure specified git signing GPG key - when: preferred_gpg_signing_key > -1 + when: preferred_signing_key > -1 community.general.git_config: name: user.signingkey scope: global state: present - value: "{{ gpg_origin_private_keyids[preferred_gpg_signing_key] }}" + value: "{{ gpg_origin_private_keyids[preferred_signing_key] }}" + register: selected_signing_key - name: Configure random git signing GPG key - when: preferred_gpg_signing_key <= -1 + when: preferred_signing_key <= -1 community.general.git_config: name: user.signingkey scope: global state: present value: "{{ gpg_origin_private_keyids | random }}" - register: randomized_gpg_key_preference + register: selected_signing_key - name: Configure git signing SSH key when: git_signing_key_type == "ssh" block: - name: Acquire SSH key-pairs from other system when: not files_mode block: - - name: Acquire private SSH keys from other system - delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition - ansible.builtin.command: - argv: - - cat - - ~/.ssh/"{{ item }}.ppk" - loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename - register: ssh_secrets - - name: Find SSH public keys in other system - delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition - ansible.builtin.command: - argv: - - cat - - ~/.ssh/"{{ item }}.pub" - loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename - register: ssh_nonsecrets - - name: Create private SSH keys - ansible.builtin.copy: - content: "{{ item }}" - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk" - force: yes - backup: yes - mode: "0600" - state: present - loop: "{{ ssh_secrets.results }}" - register: created_ssh_private_keys - - name: Create public SSH keys - ansible.builtin.copy: - content: "{{ item }}" - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub" - force: yes - backup: yes - mode: "0644" - state: present - loop: "{{ ssh_nonsecrets.results }}" - register: created_ssh_public_keys + - name: Acquire private SSH keys from other system + delegate_to: "{{ ssh_keypairs_origin_host }}" + ansible.builtin.command: + argv: + - cat + - "~/.ssh/{{ item }}.ppk" + loop: "{{ ssh_origin_keypairs_filenames }}" + register: ssh_secrets + - name: Find SSH public keys in other system + delegate_to: "{{ ssh_keypairs_origin_host }}" + ansible.builtin.command: + argv: + - cat + - "~/.ssh/{{ item }}.pub" + loop: "{{ ssh_origin_keypairs_filenames }}" + register: ssh_nonsecrets + - name: Create private SSH keys + ansible.builtin.copy: + content: "{{ item }}" + dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ ssh_origin_keypairs_filenames[idx] }}.ppk" + force: yes + backup: yes + mode: "0600" + state: present + loop: "{{ ssh_secrets.results }}" + loop_control: + index_var: idx + register: created_ssh_private_keys + - name: Create public SSH keys + ansible.builtin.copy: + content: "{{ item }}" + dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ ssh_origin_keypairs_filenames[idx] }}.pub" + force: yes + backup: yes + mode: "0644" + state: present + loop: "{{ ssh_nonsecrets.results }}" + loop_control: + index_var: idx + register: created_ssh_public_keys - name: Acquire SSH key-pairs when: files_mode block: - - name: Transfer private SSH keys - ansible.builtin.copy: - src: files/all/ssh/id_ed25519_git.ppk # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk" - force: yes - backup: yes - mode: "0600" - state: present - register: created_ssh_private_key - - name: Transfer public SSH keys - ansible.builtin.copy: - src: files/all/ssh/id_ed25519_git.pub # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub" - force: yes - backup: yes - mode: "0644" - state: present - register: created_ssh_public_key + - name: Transfer private SSH keys + ansible.builtin.copy: + src: ssh/{{ item }}.ppk + dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ item }}.ppk" + force: yes + backup: yes + mode: "0600" + state: present + loop: "{{ ssh_origin_keypairs_filenames }}" + loop_control: + index_var: idx + register: created_ssh_private_keys + - name: Transfer public SSH keys + ansible.builtin.copy: + src: ssh/{{ item }}.pub + dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ item }}.pub" + force: yes + backup: yes + mode: "0644" + state: present + loop: "{{ ssh_origin_keypairs_filenames }}" + loop_control: + index_var: idx + register: created_ssh_public_keys - name: Configure acquired, specified SSH public key as git signing key - when: ssh_preferred_signing > -1 and not files_mode + when: preferred_signing_key > -1 community.general.git_config: name: user.signingkey scope: global state: present - value: "{{ created_ssh_public_keys.results[ssh_preferred_signing] }}" # @TODO this variable needs declaration/definition + value: "{{ created_ssh_public_keys.results[preferred_signing_key] }}" + register: selected_signing_key - name: Configure acquired, random SSH public key as git signing key - when: ssh_preferred_signing <= -1 and not files_mode + when: preferred_signing_key <= -1 community.general.git_config: name: user.signingkey scope: global state: present - value: "{{ created_ssh_public_keys.results | random }}" # @TODO this variable needs declaration/definition - register: randomized_ssh_pubkey_preference - - name: Configure transferred SSH public key as git signing key - when: ssh_preferred_signing <= -1 and files_mode - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ created_ssh_public_key.dest }}" + value: "{{ created_ssh_public_keys.results | random }}" + register: selected_signing_key diff --git a/playbooks/init_login.yml b/playbooks/init_login.yml index 475f21d..fb57438 100644 --- a/playbooks/init_login.yml +++ b/playbooks/init_login.yml @@ -18,28 +18,16 @@ ansible_python_interpreter: “{{ ansible_playbook_python }}” personal_computers: locals # @NOTE can change to *_households group or {{ name }}_{{ surname }} group name vars_prompt: - - name: gpg_import_passwords - prompt: Enter space-wrapped colon -separated list of GPG private key passwords - unsafe: yes - private: yes - name: gpg_or_ssh_git_signing prompt: Enter preferred signing key type (e.g., ssh or gpg) unsafe: yes private: no default: "ssh" - - name: gpg_preferred_signing + - name: git_preferred_signing prompt: Enter index or number of preferred signing key (negative number for random) unsafe: yes private: no default: -1 - - name: git_config_name - prompt: Enter name for your git configuration - unsafe: yes - private: no - - name: git_config_email - prompt: Enter email for your git configuration - unsafe: yes - private: no tasks: - name: Disable shell access for root ansible.builtin.include_role: @@ -105,7 +93,7 @@ tags: - default - source_sys_bashrc - - name: Start XDG configuration tasks if in servers group + - name: Start XDG configuration tasks if current host in servers group when: "'servers' in group_names and ansible_connection != 'local'" become: yes block: @@ -135,7 +123,7 @@ - default - create_xdg_config - servers_exclusive - - name: Start XDG configuration tasks if current host in specified group + - name: Start XDG configuration tasks if current host is local or personal when: "personal_computers in group_names or ansible_connection == 'local'" become: yes block: @@ -165,7 +153,7 @@ - default - create_xdg_config - locals_exclusive - - name: Start SSH configuration tasks if current host in specified group + - name: Start SSH configuration tasks if current host is local or personal when: "personal_computers in group_names or ansible_connection == 'local'" become: yes block: @@ -191,139 +179,22 @@ vars_from: main handlers_from: main tasks_from: gpg - vars: - gpg_keys_origin_host: localhost - gpg_origin_private_key_passwords: "{{ gpg_import_passwords | split(' : ') }}" tags: - default - import_gpg_privkeys - # @TODO separate below task as lockdown role task, and maybe associated variables to lockdown role defaults/vars dirs - # @NOTE below depends on variable 'gpg_signing_key' and 'gpg_or_ssh_git_signing' from 'vars_prompt' playbook field - # @NOTE below depends on variable 'gpg_origin_private_keyids' and 'files_mode' found in lockdown role defaults/vars dirs - - name: Install and configure git - block: - - name: Install git package - ansible.builtin.package: - name: git - state: latest - - name: Configure git installation - block: - - name: Configure git name - community.general.git_config: - name: user.name - scope: global - state: present - value: "{{ git_config_name }}" - - name: Configure git email - community.general.git_config: - name: user.email - scope: global - state: present - value: "{{ git_config_email }}" - - name: Configure git signing key - block: - - name: Configure git signing GPG key - when: gpg_or_ssh_git_signing == "gpg" - block: - - name: Configure specified git signing GPG key - when: gpg_preferred_signing > -1 - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ gpg_origin_private_keyids[gpg_preferred_signing] }}" - - name: Configure random git signing GPG key - when: gpg_preferred_signing <= -1 - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ gpg_origin_private_keyids | random }}" - register: randomized_gpg_key_preference - - name: Configure git signing SSH key - when: gpg_or_ssh_git_signing == "ssh" - block: - - name: Acquire SSH key-pairs from other system - when: not files_mode - block: - - name: Acquire private SSH keys from other system - delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition - ansible.builtin.command: - argv: - - cat - - ~/.ssh/"{{ item }}.ppk" - loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename - register: ssh_secrets - - name: Find SSH public keys in other system - delegate_to: "{{ ssh_keypairs_origin_host }}" # @TODO variable needs declaration/definition - ansible.builtin.command: - argv: - - cat - - ~/.ssh/"{{ item }}.pub" - loop: "{{ ssh_origin_keypairs_paths }}" # @TODO variable needs declaration/definition--should have max 2 items each without file extension, with private and then public keys having same basename - register: ssh_nonsecrets - - name: Create private SSH keys - ansible.builtin.copy: - content: "{{ item }}" - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk" - force: yes - backup: yes - mode: "0600" - state: present - loop: "{{ ssh_secrets.results }}" - register: created_ssh_private_keys - - name: Create public SSH keys - ansible.builtin.copy: - content: "{{ item }}" - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub" - force: yes - backup: yes - mode: "0644" - state: present - loop: "{{ ssh_nonsecrets.results }}" - register: created_ssh_public_keys - - name: Acquire SSH key-pairs - when: files_mode - block: - - name: Transfer private SSH keys - ansible.builtin.copy: - src: files/all/ssh/id_ed25519_git.ppk # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.ppk" - force: yes - backup: yes - mode: "0600" - state: present - register: created_ssh_private_key - - name: Transfer public SSH keys - ansible.builtin.copy: - src: files/all/ssh/id_ed25519_git.pub # @TODO change path if and when moved into lockdown role task file and create corresponding file in lockdown role files dir - dest: "{{ ansible_facts['user_dir'] }}/.ssh/id_ed25519_git.pub" - force: yes - backup: yes - mode: "0644" - state: present - register: created_ssh_public_key - - name: Configure acquired, specified SSH public key as git signing key - when: ssh_preferred_signing > -1 and not files_mode - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ created_ssh_public_keys.results[ssh_preferred_signing] }}" # @TODO this variable needs declaration/definition - - name: Configure acquired, random SSH public key as git signing key - when: ssh_preferred_signing <= -1 and not files_mode - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ created_ssh_public_keys.results | random }}" # @TODO this variable needs declaration/definition - register: randomized_ssh_pubkey_preference - - name: Configure transferred SSH public key as git signing key - when: ssh_preferred_signing <= -1 and files_mode - community.general.git_config: - name: user.signingkey - scope: global - state: present - value: "{{ created_ssh_public_key.dest }}" + - name: Set up git + ansible.builtin.include_role: + name: lockdown + defaults_from: main + vars_from: main + handlers_from: main + tasks_from: git + vars: + git_signing_key_type: gpg_or_ssh_git_signing + preferred_signing_key: git_preferred_signing + tags: + - default + - configure_git +