Added password prompt and declared ansible_user variable

.ansible/roles/lockdown/defaults/main.yml

@@ -2,14 +2,15 @@
 ---
 # defaults file for lockdown
 files_mode: no
-# create_groups:
-#   - group_name: "ftp"
 create_users:
-  - username: "{{ hostvars['server'][0].username }}"
+  - username: "{{ hostvars[inventory_hostname]['passwords'][0].username }}"
-    password: "{{ hostvars['server'][0].password }}"
+    password: "{{ hostvars[inventory_hostname]['passwords'][0].password }}"
-    # ssh_authorize: yes
-# web_users:
-#   - caddy
-#   - www-data
 ssh_pubkey_filename_pattern: '.*\.pub'
 include_root_lock: yes
+gpg_private_keys_origin_host: localhost
+ssh_keypairs_origin_host: localhost
+gpg_origin_private_keyids: [] # @NOTE list of gpg key ids from origin or source server
+gpg_origin_private_key_passwords: "{{ vaulted_gpg_origin_private_key_passwords }}" # @NOTE list of gpg key passwords from origin or source server
+ssh_origin_keypairs_filenames: [] # @NOTE list of basenames (filename sans extension) of SSH keypairs
+git_config_name: ~ # @NOTE: has equivalent field under lockdown role vars example YAML file, but different value
+git_config_email: ~ # @NOTE: has equivalent field under lockdown role vars example YAML file, but different value

.ansible/roles/lockdown/tasks/git.yml

@@ -0,0 +1,128 @@
+# 'preferred_signing_key' -> 'gpg_preferred_signing'
+# 'gpg_or_ssh_git_signing' -> 'git_signing_key_type'
+- name: Install git package
+  ansible.builtin.package:
+    name: git
+    state: latest
+- name: Configure git name and email
+  block:
+  - name: Configure git name
+    community.general.git_config:
+      name: user.name
+      scope: global
+      state: present
+      value: "{{ git_config_name }}"
+  - name: Configure git email
+    community.general.git_config:
+      name: user.email
+      scope: global
+      state: present
+      value: "{{ git_config_email }}"
+- name: Configure git signing GPG key
+  when: git_signing_key_type == "gpg"
+  block:
+  - name: Configure specified git signing GPG key
+    when: preferred_signing_key > -1
+    community.general.git_config:
+      name: user.signingkey
+      scope: global
+      state: present
+      value: "{{ gpg_origin_private_keyids[preferred_signing_key] }}"
+    register: selected_signing_key
+  - name: Configure random git signing GPG key
+    when: preferred_signing_key <= -1
+    community.general.git_config:
+      name: user.signingkey
+      scope: global
+      state: present
+      value: "{{ gpg_origin_private_keyids | random }}"
+    register: selected_signing_key
+- name: Configure git signing SSH key
+  when: git_signing_key_type == "ssh"
+  block:
+  - name: Acquire SSH key-pairs from other system
+    when: not files_mode
+    block:
+      - name: Acquire private SSH keys from other system
+        delegate_to: "{{ ssh_keypairs_origin_host }}"
+        ansible.builtin.command:
+          argv:
+          - cat
+          - "~/.ssh/{{ item }}.ppk"
+        loop: "{{ ssh_origin_keypairs_filenames }}"
+        register: ssh_secrets
+      - name: Find SSH public keys in other system
+        delegate_to: "{{ ssh_keypairs_origin_host }}"
+        ansible.builtin.command:
+          argv:
+          - cat
+          - "~/.ssh/{{ item }}.pub"
+        loop: "{{ ssh_origin_keypairs_filenames }}"
+        register: ssh_nonsecrets
+      - name: Create private SSH keys
+        ansible.builtin.copy:
+          content: "{{ item }}"
+          dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ ssh_origin_keypairs_filenames[idx] }}.ppk"
+          force: yes
+          backup: yes
+          mode: "0600"
+          state: present
+        loop: "{{ ssh_secrets.results }}"
+        loop_control:
+          index_var: idx
+        register: created_ssh_private_keys
+      - name: Create public SSH keys
+        ansible.builtin.copy:
+          content: "{{ item }}"
+          dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ ssh_origin_keypairs_filenames[idx] }}.pub"
+          force: yes
+          backup: yes
+          mode: "0644"
+          state: present
+        loop: "{{ ssh_nonsecrets.results }}"
+        loop_control:
+          index_var: idx
+        register: created_ssh_public_keys
+  - name: Acquire SSH key-pairs
+    when: files_mode
+    block:
+      - name: Transfer private SSH keys
+        ansible.builtin.copy:
+          src: ssh/{{ ansible_facts['user_id'] }}/{{ item }}.ppk
+          dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ item }}.ppk"
+          force: yes
+          backup: yes
+          mode: "0600"
+          state: present
+        loop: "{{ ssh_origin_keypairs_filenames }}"
+        loop_control:
+          index_var: idx
+        register: created_ssh_private_keys
+      - name: Transfer public SSH keys
+        ansible.builtin.copy:
+          src: ssh/{{ ansible_facts['user_id'] }}/{{ item }}.pub
+          dest: "{{ ansible_facts['user_dir'] }}/.ssh/{{ item }}.pub"
+          force: yes
+          backup: yes
+          mode: "0644"
+          state: present
+        loop: "{{ ssh_origin_keypairs_filenames }}"
+        loop_control:
+          index_var: idx
+        register: created_ssh_public_keys
+  - name: Configure acquired, specified SSH public key as git signing key
+    when: preferred_signing_key > -1
+    community.general.git_config:
+      name: user.signingkey
+      scope: global
+      state: present
+      value: "{{ created_ssh_public_keys.results[preferred_signing_key] }}"
+    register: selected_signing_key
+  - name: Configure acquired, random SSH public key as git signing key
+    when: preferred_signing_key <= -1
+    community.general.git_config:
+      name: user.signingkey
+      scope: global
+      state: present
+      value: "{{ created_ssh_public_keys.results | random  }}"
+    register: selected_signing_key

.ansible/roles/lockdown/tasks/gpg.yml

@@ -0,0 +1,54 @@
+---
+- name: Acquire GPG private keys from other system
+  when: not files_mode
+  block:
+    - name: Acquire GPG private keys' contents from other system
+      delegate_to: "{{ gpg_private_keys_origin_host }}"
+      ansible.builtin.command:
+        argv:
+          - gpg
+          - -a
+          - --export-secret-key
+          - "{{ item }}"
+      loop: "{{ gpg_origin_private_keyids }}"
+      register: gpg_secrets
+    - name: Create GPG private keys using acquired GPG private keys' contents
+      ansible.builtin.copy:
+        content: "{{ item }}"
+        dest: "{{ ansible_facts['user_dir'] }}/.gnupg/{{ gpg_origin_private_keyids[idx] }}.priv.asc"
+        force: yes
+        backup: yes
+        mode: "0600"
+        state: present
+      loop: "{{ gpg_secrets.results }}"
+      loop_control:
+        index_var: idx
+      register: created_gpg_private_keys
+- name: Acquire GPG private keys
+  when: files_mode
+  ansible.builtin.copy:
+    src: gnupg/{{ ansible_facts['user_id'] }}/{{ item }}.asc
+    dest: "{{ ansible_facts['user_dir'] }}/.gnupg/{{ item }}.priv.asc"
+    force: yes
+    backup: yes
+    mode: "0600"
+    state: present
+  loop: "{{ gpg_origin_private_keyids }}"
+  loop_control:
+    index_var: idx
+  register: created_gpg_private_keys
+- name: Import GPG private keys
+  when: (gpg_origin_private_key_passwords | length) == (gpg_origin_private_keyids | length)
+  ansible.builtin.command:
+    argv:
+      - gpg
+      - --batch
+      - --import
+      - --yes
+      - --passphrase-fd
+      - 0
+      - "{{ item.dest }}"
+    stdin: "{{ gpg_origin_private_key_passwords[idx] }}"
+  loop: "{{ created_gpg_private_keys.results }}"
+  loop_control:
+    index_var: idx

.ansible/roles/lockdown/tasks/main.yml

@@ -47,6 +47,7 @@
   when: not files_mode and ansible_facts["user_id"] == "root"
   block:
     - name: Acquire list of SSH public keys for sys-admin user
+      delegate_to: "{{ ssh_keypairs_origin_host }}"
       ansible.builtin.find:
         paths: "{{ lookup('env', 'HOME') }}/.ssh"
         patterns:
@@ -58,22 +59,30 @@
         - administrative_user
         - admin_ssh
       register: ssh_public_keys
+    - name: Acquire contents of SSH public keys for sys-admin user
+      delegate_to: "{{ ssh_keypairs_origin_host }}"
+      ansible.builtin.command:
+        argv:
+          - cat
+          - "{{ item.path }}"
+      loop: "{{ ssh_public_keys.files }}"
+      register: ssh_public_keys_contents
     - name: Register SSH public keys as sys-admin user's authorized keys
       ansible.builtin.lineinfile:
         path: "{{ created_admin.home }}/.ssh/authorized_keys"
-        line: "{{ lookup('ansible.builtin.file', item) }}"
+        line: "{{ item }}"
         owner: "{{ created_admin.name }}"
         group: "{{ created_admin.name }}"
         mode: "0600"
         create: yes
-        insertafter: ~
+        insertafter: EOF
         state: present
       tags:
         - default
         - administrative_user
         - admin_ssh
-      loop: "{{ ssh_public_keys.files }}"
+      loop: "{{ ssh_public_keys_contents.results }}"
-    - name: Register SSH puplic keys as other users' authorized keys
+    - name: Register SSH public keys as other users' authorized keys
       ansible.builtin.copy:
         src: "ssh/{{ item.name }}/authorized_keys"
         dest: "{{ item.home }}/.ssh/authorized_keys"

.gitignore

@@ -6,26 +6,60 @@ senpai/
 /galaxy_token
 .ansible/log.txt
 .ansible/facts/
-.ansible/roles/**/vars/*
-.ansible/roles/**/files/ssh/*
-.ansible/roles/**/*/files/sshd_config.d/*.conf
-.ansible/roles/**/*/templates/sshd_config.d/*.conf
 .ansible/collections/ansible_collections/
-/playbooks/group_vars/**/main.yml
+*.bak
-/playbooks/host_vars/**/main.yml
+
-/playbooks/group_vars/**/vault.yml
+group_vars/**/main.yml
-/playbooks/host_vars/**/vault.yml
+host_vars/**/main.yml
-/playbooks/**/ssh_keys_vault.yml
+**/group_vars/**/main.yml
-/playbooks/**/ssh_keys.yml
+**/host_vars/**/main.yml
-/playbooks/files/**/bash/bash_aliases
+group_vars/**/vault.yml
-/playbooks/files/**/bash/**/bash_aliases
+host_vars/**/vault.yml
-/playbooks/files/**/bash/bash_functions
+**/group_vars/**/vault.yml
-/playbooks/files/**/bash/**/bash_functions
+**/host_vars/**/vault.yml
-/playbooks/files/**/ssh/config
+
-/playbooks/files/**/ssh/**/config
+.ansible/roles/**/vars/*
-/playbooks/files/**/xdg/user-dirs.defaults
+playbooks/vars/ssh_keys_vault.yml
-/playbooks/files/**/xdg/**/user-dirs.defaults
+playbooks/vars/ssh_keys.yml
+**/playbooks/vars/ssh_keys_vault.yml
+**/playbooks/vars/ssh_keys.yml
+playbooks/vars/main.yml
+playbooks/vars/vault.yml
+**/playbooks/vars/main.yml
+**/playbooks/vars/vault.yml
+
+files/**/**/config
+**/files/**/**/config
+files/**/**/authorized_keys
+**/files/**/**/authorized_keys
+files/**/**/*.conf
+**/files/**/**/*.conf
+files/**/**/*.dirs
+**/files/**/**/*.dirs
+files/**/**/*.defaults
+**/files/**/**/*.defaults
+files/**/**/bash_aliases
+**/files/**/**/bash_aliases
+files/**/**/bash_functions
+**/files/**/**/bash_functions
+
+templates/**/**/config
+**/templates/**/**/config
+templates/**/**/authorized_keys
+**/templates/**/**/authorized_keys
+templates/**/**/*.conf
+**/templates/**/**/*.conf
+templates/**/**/*.dirs
+**/templates/**/**/*.dirs
+templates/**/**/*.defaults
+**/templates/**/**/*.defaults
+templates/**/**/bash_aliases
+**/templates/**/**/bash_aliases
+templates/**/**/bash_functions
+**/templates/**/**/bash_functions
+
 hosts.ini
 hosts.yml
 hosts.yaml
-hosts.json
+hosts.json
+vault.yml

README.md

@@ -1,3 +1,25 @@
 # SUKAATO Ansible
 
-Automates the implementation of VPS servers for my server ecosystem. There is a specific logic and structure to this project, that will be expounded on herein.
+This repository is for automating the management of the configuration of, and the provisioning of software for, my virtual private servers using [Ansible](https://www.redhat.com/en/ansible-collaborative?intcmp=7015Y000003t7aWQAQ). This repository is especially useful for setting up the virtual private server(s) that is(/are) to host and serve my website(s). It is also meant to be useful for provisioning of software and the configuration of that software for personal or household LAN computers.
+
+## Installation and Use
+
+All files with file extension `.example` must be converted to [YAML](https://yaml.org/) files that follow their semantics and naming (or follow the minimum bare "namespace" nesting for dictionaries or lists thereof) *prior* to executing any given [play or task](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html). For more on semantics and naming conventions see the [mini-documentation](#mini-documentation).
+
+> [!IMPORTANT]
+> Keep in mind files with the `.example` extension may also be present recursively under given [role](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html) directories (i.e., under path `${SUKAATO_ANSIBLE_PROJECT}/.ansible/roles/**/**/`).
+
+## Mini-Documentation
+
+### Available Roles
+
+To surmise, the available or planned [roles](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html) are as follows (and are all found under `${SUKAATO_ANSIBLE_PROJECT}/.ansible/roles`):
+
+role name | purpose
+---|---
+lockdown | creating initial `sudo`-capable user, disabling system/SSH root login, setting up key-based SSH authentication, transferring GPG keys, configuring environment, hardening system
+bootstrap | installing programming language and server/container packages, installing extra system managers and essential utilities, configuring and running servers/services/containers
+postinstall | installing and configuring custom sets of packages, largely non-server related and not essential
+
+> **TBC**
+> This README is yet unfinished. Check back later.

hosts.yml.example

@@ -28,6 +28,8 @@ locals:
     localhost_hosts:
   vars:
     ansible_connection: local
+name_surname:
+surname_household:
 servers:
   children:
     sukaato_hosts:

playbooks/files/servers/xdg/user-dirs.dirs.example

@@ -1,15 +0,0 @@
-# This file is written by xdg-user-dirs-update
-# If you want to change or add directories, just edit the line you're
-# interested in. All local changes will be retained on the next run.
-# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
-# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
-# absolute path. No other format is supported.
-# 
-XDG_DESKTOP_DIR="$HOME/Desktop"
-XDG_DOWNLOAD_DIR="$HOME/Downloads"
-XDG_TEMPLATES_DIR="$HOME/Templates"
-XDG_PUBLICSHARE_DIR="$HOME/Public"
-XDG_DOCUMENTS_DIR="$HOME/Documents"
-XDG_MUSIC_DIR="$HOME/Music"
-XDG_PICTURES_DIR="$HOME/Pictures"
-XDG_VIDEOS_DIR="$HOME/Videos"

playbooks/init_login.yml

@@ -7,14 +7,24 @@
     - vars/ssh_keys.yml
   vars:
     ansible_user: "{{ passwords[0].username }}"
-    ansible_ssh_user: "{{ passwords[0].username }}"
     # @NOTE one of below two lines should be commented/uncommented in a mutually exclusive fashion
     # ansible_ssh_private_key_file: "{{ chosen_native_ssh_private_key_file | default(chosen_local_ssh_private_key_file, true) }}" # @NOTE only works with soft-coded SSH key list building
-    ansible_ssh_private_key_file: "{{ chosen_local_ssh_private_key_file }}"
+    ansible_ssh_private_key_file: "{{ chosen_local_ssh_private_key_file }}" # @NOTE references an inventory / group variable
     # @NOTE below three lines should only be uncommented when above two are commented and vice versa; key-based authentication should have already been enabled prior to running this playbook
     # ansible_password: "{{ passwords[0].password }}"
-    # ansible_ssh_pass: "{{ passwords[0].username }}"
+    ansible_python_interpreter: “{{ ansible_playbook_python }}”
-    # ansible_ssh_password: "{{ passwords[0].username }}"
+    personal_computers: locals # @NOTE can change to *_households group or {{ name }}_{{ surname }} group name
+  vars_prompt:
+    - name: gpg_or_ssh_git_signing
+      prompt: Enter preferred signing key type (e.g., ssh or gpg)
+      unsafe: yes
+      private: no
+      default: "ssh"
+    - name: git_preferred_signing
+      prompt: Enter index or number of preferred signing key (negative number for random)
+      unsafe: yes
+      private: no
+      default: -1
   tasks:
     - name: Disable shell access for root
       ansible.builtin.include_role:
@@ -25,11 +35,13 @@
         tasks_from: deshell
         apply:
           become: yes
+      tags:
+        - default
     - name: Create global bash aliases
       become: yes
       ansible.builtin.copy:
-        src: files/all/bash/bash_aliases
+        src: bash/bash_aliases
-        dest: "/etc/bash_aliases"
+        dest: /etc/bash_aliases
         owner: root
         group: root
         follow: yes
@@ -37,11 +49,14 @@
         backup: yes
         mode: "0644"
         state: present
+      tags:
+        - default
+        - source_sys_bashrc
     - name: Create global bash functions
       become: yes
       ansible.builtin.copy:
-        src: files/all/bash/bash_functions
+        src: bash/bash_functions
-        dest: "/etc/bash_functions"
+        dest: /etc/bash_functions
         owner: root
         group: root
         follow: yes
@@ -49,6 +64,9 @@
         backup: yes
         mode: "0644"
         state: present
+      tags:
+        - default
+        - source_sys_bashrc
     - name: Register bash aliases and functions to global bashrc
       become: yes
       ansible.builtin.blockinfile:
@@ -60,7 +78,7 @@
           if [ -f /etc/bash_functions ]; then
               . /etc/bash_functions
           fi
-        path: "/etc/bash.bashrc"
+        path: /etc/bash.bashrc
         prepend_newline: yes
         marker: "# {mark} ANSIBLE MANAGED SYSTEM-WIDE BASH ALIASES AND FUNCTIONS BLOCK"
         insertafter: EOF
@@ -69,4 +87,111 @@
         group: root
         backup: yes
         state: present
-        
+      tags:
+        - default
+        - source_sys_bashrc
+    - name: Start XDG configuration tasks if current host in servers group 
+      when: "'servers' in group_names and ansible_connection != 'local'"
+      become: yes
+      block:
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: files/servers/xdg/user-dirs.defaults
+            dest: /etc/xdg/user-dirs.defaults
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: "xdg/{{ ansible_facts['user_id'] }}/user-dirs.dirs"
+            dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+      tags:
+        - default
+        - create_xdg_config
+        - servers_exclusive
+    - name: Start XDG configuration tasks if current host is local or personal
+      when: "personal_computers in group_names or ansible_connection == 'local'"
+      become: yes
+      block:
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: files/locals/xdg/user-dirs.defaults
+            dest: /etc/xdg/user-dirs.defaults
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: "xdg/{{ ansible_facts['user_id'] }}/user-dirs.dirs"
+            dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+      tags:
+        - default
+        - create_xdg_config
+        - locals_exclusive
+    - name: Start SSH configuration tasks if current host is local or personal
+      when: "personal_computers in group_names or ansible_connection == 'local'"
+      become: yes
+      block:
+        - name: Create user SSH configuration
+          ansible.builtin.copy:
+            src: "ssh/{{ ansible_facts['user_id'] }}/config"
+            dest: "{{ ansible_facts['user_dir'] }}/.ssh/config"
+            follow: yes
+            force: yes
+            backup: yes
+            owner: "{{ ansible_facts['user_id'] }}"
+            group: "{{ ansible_facts['user_id'] }}"
+            mode: "0600"
+            state: present
+      tags:
+        - default
+        - create_ssh_config
+        - locals_exclusive
+    - name: Import GPG private keys
+      ansible.builtin.include_role:
+        name: lockdown
+        defaults_from: main
+        vars_from: main
+        handlers_from: main
+        tasks_from: gpg
+      tags:
+        - default
+        - import_gpg_privkeys
+    - name: Set up git
+      ansible.builtin.include_role:
+        name: lockdown
+        defaults_from: main
+        vars_from: main
+        handlers_from: main
+        tasks_from: git
+      vars:
+        git_signing_key_type: gpg_or_ssh_git_signing
+        preferred_signing_key: git_preferred_signing
+      tags:
+        - default
+        - configure_git
+    
+          
+    

playbooks/manage_root.yml

@@ -2,8 +2,18 @@
 - name: manage_root
   hosts: servers # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
   remote_user: root # MUST be run as root
-  # roles:
+  vars:
-  #   - lockdown
+    ansible_user: root
+    # ansible_ssh_user: root
+  vars_prompt:
+    - name: ansible_password
+      prompt: Enter pasword for root user of VPS
+      unsafe: yes
+      private: yes
+    # - name: ansible_ssh_pass
+    #   prompt: Enter pasword for root user of VPS
+    #   unsafe: yes
+    #   private: yes
   tasks:
     - name: Set up sys-admin account on VPS and secure VPS
       ansible.builtin.include_role:

playbooks/servers.yml

@@ -1,5 +1,5 @@
 ---
 - name: Lock down VPS
   ansible.builtin.import_playbook: manage_root.yml
-- name: Disable shell for root
+- name: Bootstrap VPS
   ansible.builtin.import_playbook: init_login.yml

tasks.org

@@ -0,0 +1,15 @@
+#+author: Alex Tavarez
+#+email: ajt95@prole.biz
+#+language: en
+
+* PLANNED
+** TODO [#A] Add more sections to ~README.md~, as enlisted below
+    - Section about inventory conventional groups, with subsection on essential or avaialble host/group variables
+    - Section about available roles, with subsection on essential or available role variables
+    - Section about available playbooks, with subsection on essential or available playbook variables
+    - Section about conventional external variable files, their location(s) and the semantics of their filenames
+    - Section about conventions for handling sensitive information, and for directory tree structures under ~${SUKAATO_ANSIBLE_PROJECT}/playbooks/{files,templates}~ or ~${SUKAATO_ANSIBLE_PROJECT}/.ansible/roles/**/{files,templates}~
+
+* IN PROGRESS
+
+* FINISHED