set up or initialized Python project

.bin/skansible.sh

@@ -64,7 +64,9 @@ import-gpg () {
     for id in "$@";
     do
         gpg --export-secret-keys "$id" > "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_GPG}/${id}.key"
+        printf "Please manually add GPG key with 'id' of '%s' in 'users.\$username.gpg_keys' list of inventory file." "$id"
     done
+    printf "Please manually change ID attribute of GPG keys in 'users.\$username.gpg_keys' list of inventory file."
 }
 
 import-ssl () {
@@ -73,6 +75,7 @@ import-ssl () {
         cp "/usr/local/share/ca-certificates/${domain}.key" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.key"
         cp "/usr/local/share/ca-certificates/${domain}.pem" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.pem"
         cp "/usr/local/share/ca-certificates/${domain}.crt" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.crt"
+        printf "Please manually change 'fqdn' attribute in inventory group or host variable file to '%s'." "$domain"
     done
 }
 
@@ -84,10 +87,6 @@ import () {
     esac
 }
 
-mksecret () {
-    true
-}
-
 decrypt () {
     while getopts "mv:i:d:" flag; do
         case "$flag" in
@@ -159,12 +158,19 @@ encrypt () {
         fi
     fi
 
-    printf "Make sure to copy following output to appropriate YAML location.\n"
+    printf "Make sure to copy following to appropriate location in appropriate YAML file under %s: \n" "$SKATO_ANSIBLE_ROOT"
     if [[ -z "$VAR_NAME" ]]; then
         ansible-vault encrypt_string --name "$VAR_NAME" --stdin-name "$VAR_NAME" --vault-id "$VAULT_ID" --output - "$PASSWORD"
     else
         ansible-vault encrypt_string --stdin-name "$ID_TAG" --vault-id "$VAULT_ID" --output - "$PASSWORD"
     fi
+    YAMLS_WITH_PASSWORDS=("${SKATO_BOOTSTRAP_ROLE}/vars/main/software.yml" "${SKATO_BOOTSTRAP_ROLE}/defaults/main/software.yml")
+    printf "Examples of common YAML files passwords may be in: \n"
+    printf "    1. any YAML file in %s \n" "${SKATO_ANSIBLE_ROOT}/hostvars"
+    printf "    2. any YAML file in %s \n" "${SKATO_ANSIBLE_ROOT}/groupvars"
+    for i in "${!YAMLS_WITH_PASSWORDS[@]}"; do
+        printf "    %u. %s \n" "$(( i + 3 ))" "${YAMLS_WITH_PASSWORDS[$i]}"
+    done
 }
 
 # source ./extensions.d/edit.sh

.env

@@ -0,0 +1,28 @@
+SKATO_ANSIBLE_ROOT=$(dirname "$0")
+SKATO_ANSIBLE_ROOT=$(dirname "$SKATO_ANSIBLE_ROOT")
+SKATO_BOOTSTRAP_ROLE="${SKATO_ANSIBLE_ROOT}/roles/bootstrap"
+SKANSIBLE_SECRETS="${SKATO_ANSIBLE_ROOT}/.secrets"
+
+# Relative directory paths for role templates/files
+SKANSIBLE_ARIA="aria2"
+SKANSIBLE_PROFTPD="proftpd"
+SKANSIBLE_PROFTPD_CONFS="${SKANSIBLE_PROFTPD}/conf.d"
+# @NOTE below 4 filepaths have filenames that must correspond to 
+# the filenames in role ProFTPd templates'/files' Display settings 
+SKANSIBLE_PROFTPD_CONFS_WELCOME="${SKANSIBLE_PROFTPD}/conf.d/WELCOME.txt"
+SKANSIBLE_PROFTPD_CONFS_BANNER="${SKANSIBLE_PROFTPD}/conf.d/BANNER.txt"
+SKANSIBLE_PROFTPD_CONFS_SUCCESS="${SKANSIBLE_PROFTPD}/conf.d/SUCCESS.txt"
+SKANSIBLE_PROFTPD_CONFS_EXIT="${SKANSIBLE_PROFTPD}/conf.d/BYE.txt"
+SKANSIBLE_SSHD_CONFS="sshd_config.d"
+SKANSIBLE_SYSTEMD="systemd"
+SKANSIBLE_SYSTEMD_USER_UNITS="${SKANSIBLE_SYSTEMD}/user"
+SKANSIBLE_FAIL2BAN="fail2ban"
+SKANSIBLE_FAIL2BAN_JAILS="${SKANSIBLE_FAIL2BAN}/jail.d"
+SKANSIBLE_FAIL2BAN_FILTERS="${SKANSIBLE_FAIL2BAN}/filter.d"
+SKANSIBLE_GITCONFIG_CONFS="gitconfig.d"
+# @NOTE files in here must have extension "key" with IDs in  
+# "gpg_keys" inventory variable list as basenames.
+SKANSIBLE_GPG="gnupg"
+# @NOTE files in path below must have extensions "key" (private), 
+# "crt" (signed), or "pem" (public) with inventory host FQDN as basename
+SKANSIBLE_SSL="ca-certificates"

.gitignore

@@ -1,4 +1,4 @@
-.env/
+.venv/
 *.bak
 hosts.yml
 .secrets/*
@@ -17,3 +17,4 @@ motd
 banner
 .galaxy_cache/
 galaxy_token
+uv.lock

.python-version

@@ -0,0 +1 @@
+3.13

pyproject.toml

@@ -0,0 +1,12 @@
+[project]
+name = "skansible"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.13"
+dependencies = [
+    "ansible>=13.1.0",
+    "ansible-lint>=25.12.1",
+    "ansible-navigator>=25.12.0",
+    "click>=8.3.1",
+]

roles/bootstrap/handlers/proftpd.yml

@@ -14,7 +14,7 @@
         group: "{{ item[0]['group'] | default(item[0]['username']) }}"
         path: "{{ item[0]['home'] | default('/home/' ~ item[0]['username']) }}/{{ item[1]['username'] }}"
         state: directory
-      loop: "{{ hostvars[inventory_hostname]['users'].values() | product(config['proftpd']['vusers'].values()) }}"
+      loop: "{{ hostvars[inventory_hostname]['users'].values() | product(config['proftpd']['users'].values()) }}"
     - name: Create ProFTPd FTP public directory for anonymous logins
       when: "'ftps' in item.value['services']"
       ansible.builtin.file:
@@ -65,7 +65,7 @@
             owner: root
             path: "{{ item.value }}"
             state: touch
-          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['auth_filepaths']) }}"
+          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['auth_paths']) }}"
         - name: Create the virtual users
           when: "not 'caddy' in item.value['services'] and not 'httpd' in item.value['services'] and not 'www-data' in item.value['services'] and not 'http' in item.value['services'] and not 'https' in item.value['services']"
           ansible.builtin.command:
@@ -73,14 +73,14 @@
               - ftpasswd
               - --passwd
               - "--name={{ item.value['username'] }}"
-              - "--uid=$(id -u {{ item.value['id_of'] }})"
-              - "--gid=$(id -g {{ item.value['gid_of'] }})"
+              - "--uid=$(id -u {{ item.value['id'] }})"
+              - "--gid=$(id -g {{ item.value['gid'] }})"
               - "--home={{ hostvars[inventory_hostname]['users']['ftp']['home'] | default('/srv/ftp') }}/{{ item.value['username'] }}"
               - --shell=/sbin/nologin
-              - --file={{ config['proftpd']['auth_filepaths']['users_path'] }}
+              - --file={{ config['proftpd']['auth_paths']['users'] }}
               - --stdin
             stdin: "{{ item.value['password'] }}"
-          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['vusers']) }}"
+          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['users']) }}"
         - name: Create the virtual groups of virtual users
           when: "not 'caddy' in item.value['services'] and not 'httpd' in item.value['services'] and not 'www-data' in item.value['services'] and not 'http' in item.value['services'] and not 'https' in item.value['services']"
           ansible.builtin.command:
@@ -88,10 +88,10 @@
               - ftpasswd
               - --group
               - "--name={{ item.value['username'] }}"
-              - "--gid=$(id -g {{ item.value['gid_of'] }})"
+              - "--gid=$(id -g {{ item.value['gid'] }})"
               - "--member={{ item.value['username'] }}"
-              - --file={{ config['proftpd']['auth_filepaths']['groups_path'] }}
-          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['vusers']) }}"
+              - --file={{ config['proftpd']['auth_paths']['groups'] }}
+          loop: "{{ lookup('ansible.builtin.dict', config['proftpd']['users']) }}"
     # @TODO create tasks in block integrating LDAP users to ProFTPd
     # - name: Integrate LDAP users into ProFTPd
     - name: Create ProFTPd FTPS virtual host
@@ -108,9 +108,9 @@
         validate: proftpd --configtest
       vars:
         ftp_server_name: "{{ config['proftpd']['name'].uppercase() }}'s Archive'"
-        allowed_users: "{{ ','.join(list(map(lambda u: u['username'], filter(lambda u: not 'http' in u['services'] and not 'https' in u['services'] and not 'httpd' in u['services'] and not 'caddy' in u['services'] and not 'www-data' in u['services'], config['proftpd']['vusers'].values())))) }}"
+        allowed_users: "{{ ','.join(list(map(lambda u: u['username'], filter(lambda u: not 'http' in u['services'] and not 'https' in u['services'] and not 'httpd' in u['services'] and not 'caddy' in u['services'] and not 'www-data' in u['services'], config['proftpd']['users'].values())))) }}"
         anon_root: "{{ map(lambda u: u['home'], filter(lambda u: 'ftps' in u['services'] or 'proftpd' in u['services'], hostvars[inventory_hostname]['users'].values())) | list | random }}/public"
-        anon_user: "{{ config['proftpd']['vusers']['smuggler']['username'] }}"
+        anon_user: "{{ config['proftpd']['users']['smuggler']['username'] }}"
     - name: Set ProFTPd jail in fail2ban
       block:
         - name: Create fail2ban system configuration directory

roles/bootstrap/templates/aria2/aria2.conf.j2

@@ -15,7 +15,7 @@ rpc-allow-origin-all=true
 rpc-max-request-size=10M
 rpc-listen-all=true
 rpc-listen-port=6800
-rpc-secret={{ config.aria.secret }}
+rpc-secret={{ config['aria']['api_key'] }}
 # rpc-certificate=
 # rpc-private-key=
 # rpc-secure=true

roles/bootstrap/templates/proftpd/conf.d/vhost@vps1-fq.dn.conf.example.j2

@@ -20,8 +20,8 @@
 
         # AuthOrder mod_auth_pam.c mod_auth_unix.c*
         AuthOrder mod_auth_file.c
-        AuthUserFile {{ config.proftpd.auth_filepaths.users_path }}
-        AuthGroupFile {{ config.proftpd.auth_filepaths.groups_path }}
+        AuthUserFile {{ config.proftpd.auth_paths.users }}
+        AuthGroupFile {{ config.proftpd.auth_paths.groups }}
         AuthFileOptions SyntaxCheck
 
         TLSEngine on

roles/bootstrap/vars/main/software.yml

@@ -249,16 +249,16 @@ config:
       editor: nvim
   proftpd:
     name: "{{ hostvars[inventory_hostname].fqdn.split('.')[0] }}"
-    auth_filepaths:
-      users_path: /etc/proftpd/ftpd.passwd
-      groups_path: /etc/proftpd/ftpd.group
+    auth_paths:
+      users: /etc/proftpd/ftpd.passwd
+      groups: /etc/proftpd/ftpd.group
     msg:
       welcome: "Our head librarians Furcas and Marbas welcome you!"  
-    vusers:
+    users:
       webmaster:
         username: webmaster
-        id_of: "{{ ['caddy', 'www-data'][0] }}"
-        gid_of: "{{ ['caddy', 'www-data'][0] }}"
+        id: "{{ ['caddy', 'www-data'][0] }}"
+        gid: "{{ ['caddy', 'www-data'][0] }}"
         # @TODO create vaulted password for this ProFTPd virtual user
         password: !vault |
           $ANSIBLE_VAULT;1.2;AES256;vps1-webmaster
@@ -270,8 +270,8 @@ config:
         services: [http,https]
       smuggler:
         username: smuggler
-        id_of: "{{ hostvars[inventory_hostname].users.ftp.username }}"
-        gid_of: "{{ hostvars[inventory_hostname].users.ftp.group | default(hostvars[inventory_hostname].users.ftp.username) }}"
+        id: "{{ hostvars[inventory_hostname].users.ftp.username }}"
+        gid: "{{ hostvars[inventory_hostname].users.ftp.group | default(hostvars[inventory_hostname].users.ftp.username) }}"
         # @TODO create vaulted password for this ProFTPd virtual user
         password: !vault |
           $ANSIBLE_VAULT;1.2;AES256;vps1-smuggler
@@ -293,5 +293,5 @@ config:
     phone_region: US
   aria:
     checksum: ~
-    secret: ~
+    api_key: ~
 

tasks.org

@@ -3,7 +3,11 @@
 #+language: en
 
 * PLANNED
-** TODO [#A] Write documentation on the expected conventional names to be used in the inventory file
+** DONE [#A] Write documentation on the expected conventional names to be used in the inventory file
+** DONE [#A] Write documentation on the expected conventional paths to be used in the inventory file
+** TODO [#A] Create Python Click library/package- based CLI
+** TODO [#A] Soft-code relative paths for role files/templates in Ansible tasks/plays
+** TODO [#A] Soft-code project root and paths to passwords/secrets files for Ansible tasks/plays
 ** TODO [#A] Rewrite dot notation usage of keys for accessing values in custom dictionary variables to bracket notation usage of keys across whole project
 
 * IN PROGRESS