From 8e83c58eb1511bd81d658a720f575decddf942c2 Mon Sep 17 00:00:00 2001
From: Alex Tavarez <admin@sukaato.moe>
Date: Fri, 5 Sep 2025 00:44:47 -0400
Subject: [PATCH] Created some playbooks, a master playbook file, and a vars
 directory

---
 playbooks/admin_login.yml                     | 17 +++++++++++++++++
 playbooks/group_vars/servers/main.yml.example |  7 +++++++
 playbooks/manage_root.yml                     | 16 ++++++++++++++++
 playbooks/master.yml                          |  5 +++++
 playbooks/vars/ssh_keys.yml                   |  4 ++++
 5 files changed, 49 insertions(+)
 create mode 100644 playbooks/admin_login.yml
 create mode 100644 playbooks/group_vars/servers/main.yml.example
 create mode 100644 playbooks/manage_root.yml
 create mode 100644 playbooks/master.yml
 create mode 100644 playbooks/vars/ssh_keys.yml

diff --git a/playbooks/admin_login.yml b/playbooks/admin_login.yml
new file mode 100644
index 0000000..272a9de
--- /dev/null
+++ b/playbooks/admin_login.yml
@@ -0,0 +1,17 @@
+---
+- hosts: servers4 # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
+  vars_files:
+    # - vars/ssh_keys_vault.yml
+    - vars/ssh_keys.yml
+  vars:
+    ansible_ssh_private_key_file: "{{ chosen_native_ssh_private_key_file | default(chosen_local_ssh_private_key_file, true) }}"
+  tasks:
+    - name: Disable shell access for root
+      ansible.builtin.include_role:
+        name: lockdown
+        defaults_from: main
+        vars_from: main
+        handlers_from: main
+        tasks_from: deshell
+        apply:
+          become: yes
\ No newline at end of file
diff --git a/playbooks/group_vars/servers/main.yml.example b/playbooks/group_vars/servers/main.yml.example
new file mode 100644
index 0000000..59999dd
--- /dev/null
+++ b/playbooks/group_vars/servers/main.yml.example
@@ -0,0 +1,7 @@
+---
+passwords:
+  - username: senpai
+    password: "{{ vaulted_passwords.senpai.password }}"
+ansible_user: "{{ passwords[0].username }}"
+local_ssh_private_key_files: [] # @NOTE list paths to SSH private keys
+chosen_local_ssh_private_key_file: "{{ local_private_key_files | random }}"
diff --git a/playbooks/manage_root.yml b/playbooks/manage_root.yml
new file mode 100644
index 0000000..4a3209b
--- /dev/null
+++ b/playbooks/manage_root.yml
@@ -0,0 +1,16 @@
+---
+- hosts: servers4 # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
+  remote_user: root # MUST be run as root
+  roles:
+    - lockdown
+  # tasks:
+  #   - name: Set up sys-admin account on VPS and secure VPS
+  #     ansible.builtin.include_role:
+  #       name: lockdown
+  #       defaults_from: main
+  #       vars_from: main
+  #       handlers_from: main
+  #       tasks_from: main
+  #     tags:
+  #       - init
+      
\ No newline at end of file
diff --git a/playbooks/master.yml b/playbooks/master.yml
new file mode 100644
index 0000000..1152770
--- /dev/null
+++ b/playbooks/master.yml
@@ -0,0 +1,5 @@
+---
+- name: Lock down VPS
+  ansible.builtin.import_playbook: manage_root.yml
+- name: Disable shell for root
+  ansible.builtin.import_playbook: admin_login.yml
\ No newline at end of file
diff --git a/playbooks/vars/ssh_keys.yml b/playbooks/vars/ssh_keys.yml
new file mode 100644
index 0000000..9901f8d
--- /dev/null
+++ b/playbooks/vars/ssh_keys.yml
@@ -0,0 +1,4 @@
+---
+native_ssh_private_keys: "{{ vaulted_native_ssh_private_keys }}"
+native_ssh_private_key_files: []
+chosen_native_ssh_private_key_file: "{{ native_ssh_private_key_files | random }}"
\ No newline at end of file