---
- name: admin_login
  hosts: servers # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
  vars_files:
    # @NOTE if second line is uncommented with its variables actively in use, first line should too be uncommented
    # - vars/ssh_keys_vault.yml
    - vars/ssh_keys.yml
  vars:
    ansible_user: "{{ passwords[0].username }}"
    ansible_ssh_user: "{{ passwords[0].username }}"
    # @NOTE one of below two lines should be commented/uncommented in a mutually exclusive fashion
    # ansible_ssh_private_key_file: "{{ chosen_native_ssh_private_key_file | default(chosen_local_ssh_private_key_file, true) }}" # @NOTE only works with soft-coded SSH key list building
    ansible_ssh_private_key_file: "{{ chosen_local_ssh_private_key_file }}"
    # @NOTE below three lines should only be uncommented when above two are commented and vice versa; key-based authentication should have already been enabled prior to running this playbook
    # ansible_password: "{{ passwords[0].password }}"
    # ansible_ssh_pass: "{{ passwords[0].username }}"
    # ansible_ssh_password: "{{ passwords[0].username }}"
  tasks:
    - name: Disable shell access for root
      ansible.builtin.include_role:
        name: lockdown
        defaults_from: main
        vars_from: main
        handlers_from: main
        tasks_from: deshell
        apply:
          become: yes