quick push of recent changes for synchronous work on other devices

used 'product' filter to avoid nested loop for host/group server address and SSH public key paths
2026-06-06 16:36:53 -04:00 · 2026-06-04 07:59:26 -04:00
7 changed files with 441 additions and 386 deletions
--- a/group_vars/armitage.yml
+++ b/group_vars/armitage.yml
@@ -27,15 +27,15 @@ admins:
    # <str<vault?>> hashed (and maybe salted) password
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
-          33663131343861303735643439393165356231366338346538333537643464343761373139303364
-          6630303563346437373161626662313432306138353132350a353334356139376662333562353834
-          36326461613664616565373835303636636533616462303732633461343130346134366662373566
-          6431623034653363310a303665636366353535313436666532623737373930356364616339313633
-          34663839656637373031393031656332393761623161643730326563323863363461333864353338
-          30633964353339323465643064636538346464343035626461333366303835333039653661383030
-          62656663336536373262623062633563646434646431303137306438633937323764633334396539
-          64353734613662663063343966356562326661626436663430623430663766343030646333306634
-          32353839313235313339353431323837356537336231366564313431313462613333
+          31663265653031323833373663653132653532646638316465393364613961643130653330393062
+          6165386239303965386261363565353137636164356130370a336465353931373564393339363561
+          37353162333331663833656631663165356134633961323337663439663733316231666334336539
+          6537373334326634610a623037613462663733343230306538386561363838316638623365636533
+          32313931666439363435663161663665346266653763343265376366383837376436643163376430
+          39393861613037333766386138376335653334363737626664383236303234653461313230383564
+          33393834636165386562383435666233313664656233326364616237636230303264363732376639
+          64396564366335366430303031323865333635306536346463386334303235386438663061343934
+          37376466373566396130366330383834323332626166316661336339346462343466
 # @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey' 
 # and edit 'roles/init-server/install-pks.yml' accordngly
 # <dict[<str>:<dict>]> package groups
@@ -46,228 +46,258 @@ pkgs:
    core:
      - name: neovim
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: flatpak
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: snapd
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: git
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: fail2ban
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: crowdsec
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: glow
        uri: ~
-        key: "https://repo.charm.sh/apt/gpg.key"
-        key_path: /etc/apt/keyrings/charm.gpg
-        src_entry: "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *"
-        src_path: /etc/apt/sources.list.d/charm.list
+        sigkey: "https://repo.charm.sh/apt/gpg.key"
+        sources: "https://repo.charm.sh/apt/"
+        types: deb
+        suites: "*"
+        comps: "*"
      - name: vim-vimwiki
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: pandoc
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: tor
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: i2pd
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
-      - name: radicle
-        uri: ~
-        key: "https://radicle.dev/apt/radicle-archive-keyring.deb"
-        key_path: "{{ ansible_facts['user_dir'] }}/.local_pkgs/"
-        src_entry: "deb [signed-by=/usr/share/radicle/radicle-archive-keyring.asc] https://radicle.dev/apt release main"
-        src_path: /etc/apt/sources.list
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
+      # # @TODO troubleshoot radicle installation issue or change installation method for radicle to script
+      # - name: radicle-keyring
+      #   uri: "https://radicle.dev/apt/radicle-archive-keyring.deb"
+      #   sigkey: ~
+      #   sources: ~
+      #   types: ~
+      #   suites: ~
+      #   comps: ~
+      # - name: radicle
+      #   uri: ~
+      #   sigkey: "https://radicle.dev/apt/radicle-archive-keyring.deb"
+      #   sources: "https://radicle.dev/apt"
+      #   types: deb
+      #   suites: release
+      #   comps: main
      # - name: syncthing
      #   uri: ~
-      #   key: ~
-      #   key_path: ~
-      #   src_entry: ~
-      #   src_path: ~
+      #   sigkey: ~
+      #   sources: ~
+      #   types: ~
+      # suites: ~
+      # comps: ~
    userspace:
      - name: podman
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: podman-compose
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: distrobox
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-core
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-doc
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-crypto
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-ldap
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-sqlite
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: aria2
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncplay-server
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: caddy
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: erlang
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: erlang-hex
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: elixir
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3.13
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3-venv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3-pip
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: golang
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: hugo
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: yt-dlp
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncthing-discosrv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncthing-relaysrv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
-        handler: ~
-      - name: avahi-daemon
-        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
-      - name: avahi-utils
-        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
  # <dict[<str>:<dict>]> representing package groups installed by shell scripts
  script:
    # <list[<dict>]> representing user-level or supplemental shell script installations
--- a/group_vars/homeserver.yml
+++ b/group_vars/homeserver.yml
@@ -17,20 +17,22 @@ pkgs:
  mngr:
    # <list[<dict>]> representing system-level or essential packages
    core:
-      - name: "" # <str> name of package in repositori/repositories; used by handler listener
-        uri: "" # <str> URI/URL or path to package installation file
-        key: "" # <str> URI/URL or path to package signing key
-        key_path: "" # <str> destination path of signing key
-        src_entry: "" # <str> repository entry line/block
-        src_path: "" # <str> filepath for repository entry insertion
+      - name: ""
+        uri: ""
+        sigkey: ""
+        sources: ""
+        types: ""
+        suites: ""
+        comps: ""
    # <list[<dict>]> representing user-level or supplemental packages
    userspace:
      - name: ""
        uri: ""
-        key: ""
-        key_path: ""
-        src_entry: ""
-        src_path: ""
+        sigkey: ""
+        sources: ""
+        types: ""
+        suites: ""
+        comps: ""
  # <dict[<str>:<dict>]> representing package groups installed by shell scripts
  script:
    # <list[<dict>]> representing system-level or essential shell script software installations
--- a/group_vars/sukaato.yml
+++ b/group_vars/sukaato.yml
@@ -38,15 +38,15 @@ admins:
    # <str<vault?>> hashed (and maybe salted) password
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
-          35326430616661626233643261316438323631373736323033666362353732646564366534346333
-          3435643432336165633832373634333864623363323461630a643366636136393031656163663161
-          30313863393037623661333030383931366535626135366664656538666330613936656238653862
-          6232356463633565390a363331306665393832303363316432396363623361396238623064356662
-          64363061613136643932613430633236313238306366363237366130623031326135393364326164
-          63303037376431373237616463323938623630333666356634363966613761376266346163636563
-          63316665653032653533656464336566626166333834653539343961666136653234356362333966
-          39313436363935303430393966653762326463616264373739333638373337643666623531383064
-          66353136383666626566643666663761313437396137383063373033366336663731
+          31663265653031323833373663653132653532646638316465393364613961643130653330393062
+          6165386239303965386261363565353137636164356130370a336465353931373564393339363561
+          37353162333331663833656631663165356134633961323337663439663733316231666334336539
+          6537373334326634610a623037613462663733343230306538386561363838316638623365636533
+          32313931666439363435663161663665346266653763343265376366383837376436643163376430
+          39393861613037333766386138376335653334363737626664383236303234653461313230383564
+          33393834636165386562383435666233313664656233326364616237636230303264363732376639
+          64396564366335366430303031323865333635306536346463386334303235386438663061343934
+          37376466373566396130366330383834323332626166316661336339346462343466
 # @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey' 
 # and edit 'roles/init-server/install-pks.yml' accordngly
 # <dict[<str>:<dict>]> package groups
@@ -57,216 +57,258 @@ pkgs:
    core:
      - name: neovim
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: flatpak
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: snapd
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: git
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: fail2ban
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: crowdsec
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: glow
        uri: ~
-        key: "https://repo.charm.sh/apt/gpg.key"
-        key_path: /etc/apt/keyrings/charm.gpg
-        src_entry: "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *"
-        src_path: /etc/apt/sources.list.d/charm.list
+        sigkey: "https://repo.charm.sh/apt/gpg.key"
+        sources: "https://repo.charm.sh/apt/"
+        types: deb
+        suites: "*"
+        comps: "*"
      - name: vim-vimwiki
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: pandoc
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: tor
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: i2pd
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
-      - name: radicle
-        uri: ~
-        key: "https://radicle.dev/apt/radicle-archive-keyring.deb"
-        key_path: "{{ ansible_facts['user_dir'] }}/.local_pkgs/"
-        src_entry: "deb [signed-by=/usr/share/radicle/radicle-archive-keyring.asc] https://radicle.dev/apt release main"
-        src_path: /etc/apt/sources.list
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
+      # # @TODO troubleshoot radicle installation issue or change installation method for radicle to script
+      # - name: radicle-keyring
+      #   uri: "https://radicle.dev/apt/radicle-archive-keyring.deb"
+      #   sigkey: ~
+      #   sources: ~
+      #   types: ~
+      #   suites: ~
+      #   comps: ~
+      # - name: radicle
+      #   uri: ~
+      #   sigkey: "https://radicle.dev/apt/radicle-archive-keyring.deb"
+      #   sources: "https://radicle.dev/apt"
+      #   types: deb
+      #   suites: release
+      #   comps: main
      # - name: syncthing
      #   uri: ~
-      #   key: ~
-      #   key_path: ~
-      #   src_entry: ~
-      #   src_path: ~
+      #   sigkey: ~
+      #   sources: ~
+      #   types: ~
+      # suites: ~
+      # comps: ~
    userspace:
      - name: podman
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: podman-compose
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: distrobox
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-core
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-doc
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-crypto
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-ldap
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: proftpd-mod-sqlite
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: aria2
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncplay-server
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: caddy
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: erlang
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: erlang-hex
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: elixir
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3.13
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3-venv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: python3-pip
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: golang
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: hugo
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: yt-dlp
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncthing-discosrv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
      - name: syncthing-relaysrv
        uri: ~
-        key: ~
-        key_path: ~
-        src_entry: ~
-        src_path: ~
-        handler: ~
+        sigkey: ~
+        sources: ~
+        types: ~
+        suites: ~
+        comps: ~
  # <dict[<str>:<dict>]> representing package groups installed by shell scripts
  script:
    # <list[<dict>]> representing user-level or supplemental shell script installations
--- a/group_vars/vps.yml
+++ b/group_vars/vps.yml
@@ -18,20 +18,22 @@ pkgs:
  mngr:
    # <list[<dict>]> representing system-level or essential packages
    core:
-      - name: "" # <str> name of package in repositori/repositories; used by handler listener
-        uri: "" # <str> URI/URL or path to package installation file
-        key: "" # <str> URI/URL or path to package signing key
-        key_path: "" # <str> destination path of signing key
-        src_entry: "" # <str> repository entry line/block
-        src_path: "" # <str> filepath for repository entry insertion
+      - name: ""
+        uri: ""
+        sigkey: ""
+        sources: ""
+        types: ""
+        suites: ""
+        comps: ""
    # <list[<dict>]> representing user-level or supplemental packages
    userspace:
      - name: ""
        uri: ""
-        key: ""
-        key_path: ""
-        src_entry: ""
-        src_path: ""
+        sigkey: ""
+        sources: ""
+        types: ""
+        suites: ""
+        comps: ""
  # <dict[<str>:<dict>]> representing package groups installed by shell scripts
  script:
    # <list[<dict>]> representing system-level or essential shell script software installations
--- a/roles/init-server/tasks/harden.yml
+++ b/roles/init-server/tasks/harden.yml
@@ -5,7 +5,7 @@
  when: ansible_user not in (admins | map(attribute="username") | list) and ansible_user != "root"
  ansible.builtin.fail:
    msg: Must use administrative user for subsequent tasks
- name: Hardening SSH service for the Linode VPS
+- name: Hardening SSH service
  ansible.builtin.copy:
    src: sshd_config.d/harden.conf
    dest: /etc/ssh/sshd_config.d/harden.conf
--- a/roles/init-server/tasks/install-pkgs.yml
+++ b/roles/init-server/tasks/install-pkgs.yml
@@ -1,10 +1,6 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for roles/init-vps
- name: Checking whether administrative login used
-  when: ansible_user not in (admins | map(attribute="username") | list)
-  ansible.builtin.fail:
-    msg: Must use administrative user for subsequent tasks
 - name: Creating prerequisite directory tree for installation scripts
  ansible.builtin.file:
    path: "{{ ansible_facts['user_dir'] }}/.local/bin"
@@ -27,36 +23,17 @@
      when: ansible_facts["os_family"] == "Debian"
      become: true
      block:
-        - name: Registering a package signing key
-          when: item.key != None and item.key_path != None
-          ansible.builtin.get_url:
-            url: "{{ item.key }}"
-            dest: "{{ item.key_path | default('/etc/apt/keyrings/') }}"
-            owner: root
-            group: root
-            mode: "644"
-            force: true
-            backup: true
-          loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | rejectattr('key', 'search', '\\.deb$') }}"
-        - name: Premature stop
-          ansible.builtin.meta: end_play
-        - name: Installing a package signing key
-          when: item.key != None
-          ansible.builtin.apt:
-            deb: "{{ item.key }}"
-            state: present
-          loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | selectattr('key', 'search', '\\.deb$') }}"
        - name: Registering a package source
-          when: item.src_entry != None and item.src_path != None
-          ansible.builtin.copy:
-            content: "{{ item.src_entry }}"
-            dest: "{{ item.src_path }}"
-            owner: root
-            group: root
-            mode: "644"
-            force: true
-            backup: true
-          loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace }}"
+          when: item.sources != None
+          ansible.builtin.deb822_repository:
+            name: "{{ item.name }}"
+            uris: "{{ item.sources }}"
+            types: "{{ item.types | default('deb') }}"
+            suites: "{{ item.suites | default('*') }}"
+            components: "{{ item.comps | default('*') }}"
+            signed_by: "{{ item.sigkey }}"
+            state: present
+          loop: "{{ ((pkgs.mngr.core | default([])) + (pkgs.mngr.userspace | default([]))) }}"
        - name: Installing a local package in managed node
          when: item.uri != None
          ansible.builtin.apt:
@@ -64,34 +41,35 @@
            update_cache: true
            state: present
          notify: "{{ item.name }}"
-          loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | selectattr('uri', 'search', '\\.deb$') }}"
+          loop: "{{ ((pkgs.mngr.core | default([])) + (pkgs.mngr.userspace | default([]))) | selectattr('uri', 'search', '\\.deb$') }}"
        - name: Installing a package
          when: item.name != None and item.uri == None
          ansible.builtin.package:
            name: "{{ item.name }}"
            update_cache: true
            state: latest
-          notify: "{{ item.name }}" # @TODO create corresponding roles/init-vps handlers
-          loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | rejectattr('uri', 'search', '\\.deb$') }}"
+          # notify: "{{ item.name }}" # @TODO create corresponding roles/init-vps handlers
+          loop: "{{ ((pkgs.mngr.core | default([])) + (pkgs.mngr.userspace | default([]))) | rejectattr('uri', 'search', '\\.deb$') }}"
      tags:
        - get_mngr_pkgs
    - name: Installing software by executing installation shell scripts
-      when: item.src != None
      block:
        - name: Acquiring installation shell script
+          when: item.src != None
          ansible.builtin.get_url:
            url: "{{ item.src }}"
            dest: "{{ ansible_facts['user_dir'] }}/.local/bin/{{ item.name }}-install.sh"
            force: true
            backup: true
            mode: "744"
-          loop: "{{ pkgs.script.core + pkgs.script.userspace }}"
+          loop: "{{ (pkgs.script.core | default([])) + (pkgs.script.userspace | default([])) }}"
          register: install_scripts
        - name: Executing a shell-scripted installation process
+          when: item.src != None and (((pkgs.script.core | default([])) + (pkgs.script.userspace | default([]))) | length) > 0
          become: true
          ansible.builtin.shell:
            cmd: "{{ item.dest }}"
-          notify: "{{ (pkgs.script.core + pkgs.script.userspace)[idx].name }}"
+          notify: "{{ ((pkgs.script.core | default([])) + (pkgs.script.userspace | default([])))[idx].name }}"
          loop: "{{ install_scripts.results }}"
          loop_control:
            index_var: idx
@@ -101,20 +79,22 @@
    - name: Installing software by building it from source archives
      block:
        - name: Acquiring software source archive
+          when: item.src != None
          ansible.builtin.get_url:
            url: "{{ item.src }}"
            dest: "{{ ansible_facts['user_dir'] }}/downloads/archives/"
            force: true
            backup: true
            mode: "644"
-          loop: "{{ pkgs.archive.core + pkgs.archive.userspace }}"
+          loop: "{{ (pkgs.archive.core | default([])) + (pkgs.archive.userspace | default([])) }}"
          register: archived_builds
        - name: Unarchiving software build archive
+          when: item.dest != None and (((pkgs.script.core | default([])) + (pkgs.script.userspace | default([]))) | length) > 0
          ansible.builtin.unarchive:
            src: "{{ item.dest }}"
            remote_src: true
-            dest: "{{ ansible_facts['user_dir'] }}/downloads/archives/released/{{ (pkgs.archive.core + pkgs.archive.userspace)[idx].name }}/"
-          notify: "{{ (pkgs.archive.core + pkgs.archive.userspace)[idx].name }}"
+            dest: "{{ ansible_facts['user_dir'] }}/downloads/archives/released/{{ ((pkgs.archive.core | default([])) + (pkgs.archive.userspace | default([])))[idx].name }}/"
+          notify: "{{ ((pkgs.archive.core | default([])) + (pkgs.archive.userspace | default([])))[idx].name }}"
          loop: "{{ archived_builds.results }}"
          loop_control:
            index_var: idx
@@ -123,6 +103,7 @@
    - name: Installing software from source git repositories
      block:
        - name: Clone git bare repository
+          when: item.src != None
          ansible.builtin.git:
            repo: "{{ item.src }}"
            dest: "{{ ansible_facts['user_dir'] }}/repos/.foreign/{{ item.name }}"
@@ -130,7 +111,7 @@
            clone: true
            single_branch: true
          notify: "{{ item.name }}"
-          loop: "{{ pkgs.git_repos.core + pkgs.git_repos.userspace }}"
+          loop: "{{ (pkgs.git_repos.core | default([])) + (pkgs.git_repos.userspace | default([])) }}"
          register: installation_repos
      tags:
        - get_git_pkgs
--- a/roles/init-server/tasks/spawn.yml
+++ b/roles/init-server/tasks/spawn.yml
@@ -89,18 +89,16 @@
          vars:
            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
-    # @TODO find way to incorporate use of 'groups[instance] | default(hostvars[instance]' for 
-    # looping without loop nesting in below task
    - name: Providing authorized keys for server root account
-      delegate_to: "{{ (groups[instance] | default(hostvars[instance]))[0] }}"
+      delegate_to: "{{ item[0] }}"
      delegate_facts: true
      remote_user: root
      ansible.posix.authorized_key:
        user: "{{ ansible_user }}"
-        key: "{{ lookup('file', item) }}"
+        key: "{{ lookup('file', item[1]) }}"
        state: present
      vars:
        ansible_user: root
-      loop: "{{ root_pubkey_paths }}"
+      loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
  tags:
    - lan
Author	SHA1	Message	Date
Alex Tavarez	1b6811b42b	quick push of recent changes for synchronous work on other devices	2026-06-06 16:36:53 -04:00
Alex Tavarez	e2128552b9	used 'product' filter to avoid nested loop for host/group server address and SSH public key paths	2026-06-04 07:59:26 -04:00