Made EOF value for insertafter explicit and fixed path reference in lookup

.ansible/roles/lockdown/defaults/main.yml

@@ -2,14 +2,11 @@
 ---
 # defaults file for lockdown
 files_mode: no
-# create_groups:
-#   - group_name: "ftp"
 create_users:
-  - username: "{{ hostvars['server'][0].username }}"
+  - username: "{{ hostvars[inventory_hostname]['passwords'][0].username }}"
-    password: "{{ hostvars['server'][0].password }}"
+    password: "{{ hostvars[inventory_hostname]['passwords'][0].password }}"
-    # ssh_authorize: yes
-# web_users:
-#   - caddy
-#   - www-data
 ssh_pubkey_filename_pattern: '.*\.pub'
 include_root_lock: yes
+gpg_private_keys_origin_host: localhost
+gpg_origin_private_keyids: [] # @NOTE list of gpg key ids from origin or source server
+gpg_origin_private_key_passwords: "{{ vaulted_gpg_origin_private_key_passwords }}" # @NOTE list of gpg key passwords from origin or source server

.ansible/roles/lockdown/tasks/gpg.yml

@@ -0,0 +1,38 @@
+---
+- name: Acquire GPG private keys from other system
+  delegate_to: "{{ gpg_private_keys_origin_host }}"
+  ansible.builtin.command:
+    argv:
+      - gpg
+      - -a
+      - --export-secret-key
+      - "{{ item }}"
+  loop: "{{ gpg_origin_private_keyids }}"
+  register: gpg_secrets
+- name: Create GPG private keys
+  ansible.builtin.copy:
+    content: "{{ item }}"
+    dest: "{{ ansible_facts['user_dir'] }}/.gnupg/{{ ansible_facts['user_dir'] }}-{{ idx }}.priv.asc"
+    force: yes
+    backup: yes
+    mode: "0600"
+    state: present
+  loop: "{{ gpg_secrets.results }}"
+  loop_control:
+    index_var: idx
+  register: created_gpg_private_keys
+- name: Import GPG private keys
+  when: (gpg_origin_private_key_passwords | length) == (gpg_origin_private_keyids | length)
+  ansible.builtin.command:
+    argv:
+      - gpg
+      - --batch
+      - --import
+      - --yes
+      - --passphrase-fd
+      - 0
+      - "{{ item.dest }}"
+    stdin: "{{ gpg_origin_private_key_passwords[idx] }}"
+  loop: "{{ created_gpg_private_keys.results }}"
+  loop_control:
+    index_var: idx

.ansible/roles/lockdown/tasks/main.yml

@@ -61,12 +61,12 @@
     - name: Register SSH public keys as sys-admin user's authorized keys
       ansible.builtin.lineinfile:
         path: "{{ created_admin.home }}/.ssh/authorized_keys"
-        line: "{{ lookup('ansible.builtin.file', item) }}"
+        line: "{{ lookup('ansible.builtin.file', item.path) }}"
         owner: "{{ created_admin.name }}"
         group: "{{ created_admin.name }}"
         mode: "0600"
         create: yes
-        insertafter: ~
+        insertafter: EOF
         state: present
       tags:
         - default

.gitignore

@@ -13,8 +13,6 @@ senpai/
 .ansible/collections/ansible_collections/
 /playbooks/group_vars/**/main.yml
 /playbooks/host_vars/**/main.yml
-/playbooks/group_vars/**/vault.yml
-/playbooks/host_vars/**/vault.yml
 /playbooks/**/ssh_keys_vault.yml
 /playbooks/**/ssh_keys.yml
 /playbooks/files/**/bash/bash_aliases
@@ -29,3 +27,4 @@ hosts.ini
 hosts.yml
 hosts.yaml
 hosts.json
+vault.yml

hosts.yml.example

@@ -28,6 +28,8 @@ locals:
     localhost_hosts:
   vars:
     ansible_connection: local
+name_surname:
+surname_household:
 servers:
   children:
     sukaato_hosts:

playbooks/init_login.yml

@@ -15,6 +15,13 @@
     # ansible_password: "{{ passwords[0].password }}"
     # ansible_ssh_pass: "{{ passwords[0].username }}"
     # ansible_ssh_password: "{{ passwords[0].username }}"
+    ansible_python_interpreter: “{{ ansible_playbook_python }}”
+    personal_computers: locals # @NOTE can change to *_households group or {{ name }}_{{ surname }} group name
+  vars_prompt:
+    - name: gpg_import_passwords
+      prompt: Enter space-wrapped colon -separated list of GPG private key passwords
+      unsafe: yes
+      private: yes
   tasks:
     - name: Disable shell access for root
       ansible.builtin.include_role:
@@ -25,11 +32,13 @@
         tasks_from: deshell
         apply:
           become: yes
+      tags:
+        - default
     - name: Create global bash aliases
       become: yes
       ansible.builtin.copy:
         src: files/all/bash/bash_aliases
-        dest: "/etc/bash_aliases"
+        dest: /etc/bash_aliases
         owner: root
         group: root
         follow: yes
@@ -37,11 +46,14 @@
         backup: yes
         mode: "0644"
         state: present
+      tags:
+        - default
+        - source_sys_bashrc
     - name: Create global bash functions
       become: yes
       ansible.builtin.copy:
         src: files/all/bash/bash_functions
-        dest: "/etc/bash_functions"
+        dest: /etc/bash_functions
         owner: root
         group: root
         follow: yes
@@ -49,6 +61,9 @@
         backup: yes
         mode: "0644"
         state: present
+      tags:
+        - default
+        - source_sys_bashrc
     - name: Register bash aliases and functions to global bashrc
       become: yes
       ansible.builtin.blockinfile:
@@ -60,7 +75,7 @@
           if [ -f /etc/bash_functions ]; then
               . /etc/bash_functions
           fi
-        path: "/etc/bash.bashrc"
+        path: /etc/bash.bashrc
         prepend_newline: yes
         marker: "# {mark} ANSIBLE MANAGED SYSTEM-WIDE BASH ALIASES AND FUNCTIONS BLOCK"
         insertafter: EOF
@@ -69,4 +84,100 @@
         group: root
         backup: yes
         state: present
+      tags:
+        - default
+        - source_sys_bashrc
+    - name: Start XDG configuration tasks if in servers group 
+      when: "'servers' in group_names and ansible_connection != 'local'"
+      become: yes
+      block:
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: files/servers/xdg/user-dirs.defaults
+            dest: /etc/xdg/user-dirs.defaults
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: "files/servers/{{ ansible_facts['user_id'] }}/xdg/user-dirs.dirs"
+            dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+      tags:
+        - default
+        - create_xdg_config
+        - servers_exclusive
+    - name: Start XDG configuration tasks if current host in specified group
+      when: "personal_computers in group_names or ansible_connection == 'local'"
+      become: yes
+      block:
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: files/locals/xdg/user-dirs.defaults
+            dest: /etc/xdg/user-dirs.defaults
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+        - name: Create XDG user home directory environment variables
+          ansible.builtin.copy:
+            src: "files/locals/{{ ansible_facts['user_id'] }}/xdg/user-dirs.dirs"
+            dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
+            owner: root
+            group: root
+            follow: yes
+            force: yes
+            backup: yes
+            mode: "0644"
+            state: present
+      tags:
+        - default
+        - create_xdg_config
+        - locals_exclusive
+    - name: Start SSH configuration tasks if current host in specified group
+      when: "personal_computers in group_names or ansible_connection == 'local'"
+      become: yes
+      block:
+        - name: Create user SSH configuration
+          ansible.builtin.copy:
+            src: "files/locals/ssh/{{ ansible_facts['user_id'] }}/config"
+            dest: "{{ ansible_facts['user_dir'] }}/.ssh/config"
+            follow: yes
+            force: yes
+            backup: yes
+            owner: "{{ ansible_facts['user_id'] }}"
+            group: "{{ ansible_facts['user_id'] }}"
+            mode: "0600"
+            state: present
+      tags:
+        - default
+        - create_ssh_config
+        - locals_exclusive
+    - name: Import GPG private keys
+      ansible.builtin.include_role:
+        name: lockdown
+        defaults_from: main
+        vars_from: main
+        handlers_from: main
+        tasks_from: gpg
+      vars:
+        gpg_keys_origin_host: localhost
+        gpg_origin_private_key_passwords: "{{ gpg_import_passwords | split(' : ') }}"
+      tags:
+        - default
+        - import_gpg_privkeys
+