hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent

added task block to prompt user for a fallback password if given root password is null
added task block to prompt user for a fallback password if given user password is null
2026-06-17 14:42:16 -04:00 · 2026-06-17 14:40:35 -04:00 · 2026-06-17 14:40:17 -04:00 · 2026-06-17 14:39:10 -04:00 · 2026-06-17 14:36:26 -04:00
6 changed files with 83 additions and 72 deletions
--- a/group_vars/armitage_test.yml
+++ b/group_vars/armitage_test.yml
@@ -1,12 +1,6 @@
 # @TODO create inventory group variables akin to structure of sukaato group's for homeserver
 # <str<vault>> representing password for Linux root user account of VPS
-password: !vault |
+password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test') }}"
          $ANSIBLE_VAULT;1.1;AES256
          32333335343939653231313938666134306338356633393035363039373465386165313666383262
          6465313738316635633332623765336563626165336330370a616634393266366430363663333066
          63373165346236386632393866316164623133373761303262643734356433646661636533666266
          3834643765613937300a326365643961626236386261303933643965333565623836313231346537
          3030
 # <str> representing hostname for LAN server; same as host or group variable name
 instance: armitage
 # <str<enum>> representing Linux distro or OS image to be used for VPS 
@@ -14,28 +8,19 @@ instance: armitage
 operating_system: ~
 # <list[<str>]> of control node or local SSH key basenames
 ssh_keys:
-  - ed25519@sukaato.hikiki
+  - ed25519@staging
-  - ecdsa@sukaato.hikiki
+  - ecdsa@staging
 # <list<dict>> list of administrative users (in Linux, users that can use "sudo")
 admins:
  - username: senpai # <str> arbitrary valid user name
    services: ~ # <list[<str>]> if linux system user, assocated servce
    # <list[<str>]> list of control node or local SSH key basenames for this user
    ssh_keys:
-      - ecdsa-37851076-sk@sukaato.hikiki
+      # @TODO add secondary and teriary Yubikeys
-      - ecdsa-37851072-sk@sukaato.hikiki
+      - ecdsa-37851076-sk@staging
      - ed25519-37851076-sk@staging
    # <str<vault?>> hashed (and maybe salted) password
-    password: !vault |
+    password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='senpai:armitage_test') }}"
          $ANSIBLE_VAULT;1.1;AES256
          34636132613365646330653431653236303563623464316638643439373761366564663264613738
          3033343264373264333362616434333465323439653134340a643066663832353965313434386639
          38366263646638353632656431366638393939623537326233306132306436363338373161643433
          3439653833333164390a303430616561356464393030353433303738383730643330323031373432
          62386231653339616436383837383966643539353036353034363132633539643332386131613537
          31356230383561663735363530393562363237343166323635666665386165633130653864646238
          39323735386161646531323335393639353630376136663063393930326434346435343937623336
          33336132663238326662323536326638333139313535373166636363336366663962373936383536
          62303536363939316563646630633064306364366331623665646533633065336236
 # <dict[<str>:<dict>]> package groups
 pkgs:
  # <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
--- a/group_vars/sukaato_test.yml
+++ b/group_vars/sukaato_test.yml
@@ -1,22 +1,7 @@
 # <str<vault>> representing password for Linux root user account of VPS
-password: !vault |
+password: "{{ lookup('password', '../.tmp/sukaato_test.pass', seed='sukaato_test') }}"
          $ANSIBLE_VAULT;1.1;AES256
          66353462633933306537323461663665643234306166366663653163306436333037313032306338
          3762653037396437633835356630656438623163656536310a306163663234383265386133396634
          34363163343766623739646334643031373239373630663731376239333764346531396363636131
          6163343335356337660a366337336632333236326532373032353332333636366638616265356562
          66616534303035386134623535373935373065326539363065623230633034313433
 # <str<vault>> representing API token for VPS cloud service
-token: !vault |
+token: ~
          $ANSIBLE_VAULT;1.1;AES256
          33333839333337323062326231626534616166646666343261343966636464346630363033653130
          3035653864396363376633346362353239643939663462370a323935353061313563336435366331
          30393463653661326539326234646438663133616634663439303932656137633839656533376433
          3666643635613039390a323138393033623131326438616331386539666333613630316263613636
          66663263373665343662393638623064356234646165343835623966643761333562323132396466
          63363436333463653130323531343139316466316131313031343232343039396261616231376232
          66383938333661363532303166306563396634663132396166646132663131373738396131626633
          34393265343061356531
 # <str> representing name and hostname of VPS to be made in VPS cloud service
 instance: sukaato
 # <str<enum>> representing region options from or for given VPS cloud service
@@ -25,28 +10,19 @@ origin: us-east
 operating_system: linode/debian13
 # <list[<str>]> list of control node or local SSH key basenames for root user
 ssh_keys:
-  - ed25519@sukaato.hikiki
+  - ed25519@staging
-  - ecdsa@sukaato.hikiki
+  - ecdsa@staging
 # <list<dict>> list of administrative users (in Linux, users that can use "sudo")
 admins:
  - username: senpai # <str> arbitrary valid user name
    services: ~ # <list[<str>]> if linux system user, assocated servce
    # <list[<str>]> list of control node or local SSH key basenames for this user
    ssh_keys:
-      - ecdsa-37851076-sk@sukaato.hikiki
+      # @TODO add secondary and teriary Yubikeys
-      - ecdsa-37851072-sk@sukaato.hikiki
+      - ecdsa-37851076-sk@staging
      - ed25519-37851076-sk@staging
    # <str<vault?>> hashed (and maybe salted) password
-    password: !vault |
+    password: "{{ lookup('password', '../.tmp/sukaato_test.pass', seed='senpai:sukaato_test') }}"
          $ANSIBLE_VAULT;1.1;AES256
          31663265653031323833373663653132653532646638316465393364613961643130653330393062
          6165386239303965386261363565353137636164356130370a336465353931373564393339363561
          37353162333331663833656631663165356134633961323337663439663733316231666334336539
          6537373334326634610a623037613462663733343230306538386561363838316638623365636533
          32313931666439363435663161663665346266653763343265376366383837376436643163376430
          39393861613037333766386138376335653334363737626664383236303234653461313230383564
          33393834636165386562383435666233313664656233326364616237636230303264363732376639
          64396564366335366430303031323865333635306536346463386334303235386438663061343934
          37376466373566396130366330383834323332626166316661336339346462343466
 # <dict[<str>:<dict>]> package groups
 pkgs:
  # <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
--- a/hosts.yml.example
+++ b/hosts.yml.example
@@ -1,18 +1,20 @@
 # @TODO use hosts and host groupings that refer or point to VM or containerized servers for testing
 ungrouped:
  hosts:
-    staging:
+    staging0:
-      ansible_host: ~ # IP address of test host
+      ansible_host: ~
    staging1:
      ansible_host: ~
 sukaato:
  hosts: ~
 sukaato_test:
  hosts:
-    staging:
+    staging0:
 armitage:
  hosts: ~
 armitage_test:
  hosts:
-    staging:
+    staging1:
 vps:
  children:
    sukaato:
--- a/roles/init-server/tasks/spawn.yml
+++ b/roles/init-server/tasks/spawn.yml
@@ -18,20 +18,41 @@
  ansible.builtin.set_fact:
    root_pubkeys: "{{ root_pubkeys | default([]) + [lookup('file', item)] }}"
  loop: "{{ root_pubkey_paths }}"
 - name: Ensuring password is defined for root user
  when: prehashed_password is undefined or prehashed_password == None
  block:
    - name: Prompting for password for or of root user
      when: password is undefined or password == None
      ansible.builtin.pause:
        prompt: "Provide a password for the root user"
        echo: false
      register: prompted_password
    - name: Getting the inputted password for root user
      when: prompted_password is defined or prompted_password != None
      ansible.builtin.set_fact:
        prehashed_password: "{{ prompted_password.user_input }}"
 - name: Bootstrapping VPS
  block:
    - name: Ensuring token is available for VPS service API
      when: token is undefined or token == None
      ansible.builtin.pause:
        prompt: "Provide the API token for the given VPS service"
        echo: false
      register: prompted_token
    - name: Creating VPS via Linode VPS service API
      block:
        - name: Creating the VPS
          linode.cloud.instance:
-            api_token: "{{ token }}"
+            api_token: "{{ token | prompted_token.user_input }}"
            label: "{{ instance }}"
            type: g6-standard-2
            image: "{{ operating_system }}"
            disk_encryption: enabled
            region: "{{ origin }}"
            private_ip: true
-            root_pass: "{{ password }}"
+            # @TODO find out if 'root_pass' attribute takes in hashed or plaintext password
            # root_pass: "{{ password | default((prehashed_password | lookup('password_hash', hashtype='sha512'))) }}" # IF HASHED
            root_pass: "{{ password | default(prehashed_password) }}" # IF PLAINTEXT
            authorized_keys: "{{ root_pubkeys }}"
            state: present
          register: new_instance
@@ -43,7 +64,6 @@
            timeout: 300
          vars:
            ansible_ssh_private_key_file: "{{ chosen_privkey | default(ssh_keypairs.files | rejectattr('path', 'search', '\\.pub$') | map(attribute='path') | list | random) }}" # @TODO define 'chosen_privkey'in playbook
            ansible_user: root
          loop: "{{ new_instance.instance[ip_pref] }}"
      tags:
        - linode
@@ -66,8 +86,6 @@
          ansible.builtin.wait_for_connection:
            delay: 20
            timeout: 300
          vars:
            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
        - name: Checking if that server has required operating system
          delegate_to: "{{ item }}"
@@ -76,8 +94,6 @@
          when: ansible_facts["system"] != "Linux" and item is ansible.utils['ip_pref']
          ansible.builtin.fail:
            msg: Unsupported operating system found
          vars:
            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
        - name: Checking if that server has required Linux distro
          delegate_to: "{{ item }}"
@@ -86,19 +102,16 @@
          when: ansible_facts["system"] == "Linux" and ansible_facts["os_family"] != "Debian" and item is ansible.utils['ip_pref']
          ansible.builtin.fail:
            msg: Unsupported Linux distro found
          vars:
            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
    - name: Providing authorized keys for server root account
      delegate_to: "{{ item[0] }}"
      delegate_facts: true
      become: true
      remote_user: root
      ansible.posix.authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ lookup('file', item[1]) }}"
        state: present
      vars:
        ansible_user: root
      loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
  tags:
    - lan
--- a/roles/init-server/tasks/ssh-users.yml
+++ b/roles/init-server/tasks/ssh-users.yml
@@ -16,6 +16,27 @@
      register: remote_group
      tags:
        - lan
    - name: Managing passwords
      when: prehashed_passwords is undefined or prehashed_passwords == None
      block:
        - name: Acquiring users lacking passwords
          ansible.builtin.set_fact:
            passwordless_admins: "{{ admins | selectattr('password', '==', 'null') | list }}"
        - name: Pausing to acquire password for a user
          when: item.password is undefined or item.password == None
          ansible.builtin.pause:
            prompt: "Provide a password for the administrative user, {{ item.username }}"
            echo: false
          loop: "{{ passwordless_admins }}"
          register: prompted_passwords
        - name: Processing inputted password per user
          when: prompted_passwords is defined and prompted_passwords != None
          ansible.builtin.set_fact:
            prehashed_passwords: "{{ (prompted_passwords.results | default([])) | map(attribute='user_input') | list }}"
        - name: Pairing inputted passwords with associated user
          when: prehashed_passwords is defined or prehashed_passwords != None
          ansible.builtin.set_fact:
            prehashed_passwords: "{{ dict(passwordless_admins | map(attribute='username') | zip(prehashed_passwords) | list) }}"
    - name: Creating an administrative user
      become: true
      ansible.builtin.user:
@@ -27,7 +48,7 @@
        append: true
        generate_ssh_key: true
        create_home: true
-        password: "{{ item.password }}"
+        password: "{{ item.password | default((prehashed_passwords[item.username] | password_hash(hashtype='sha512'))) }}"
        shell: "/bin/bash"
      loop: "{{ admins }}"
      register: admin_users
--- a/skato-ansible.sh
+++ b/skato-ansible.sh
@@ -8,25 +8,30 @@ SKANSIBLE_DEBUG=1
 SKANSIBLE_UNIT_TEST=1
 DEFAULT_USER=senpai
 DEFAULT_SKANSIBLE_PLAY_HOST=vps
 SKANSIBLE_SSH_KEY_COLLECTION=(~/.ssh/ed25519\@staging ~/.ssh/ecdsa\@staging ~/.ssh/ed25519-37851076-sk\@staging ~/.ssh/ecdsa-37851076-sk\@staging)
 if [[ "$1" == "version" ]]; then
    echo "0.0.0"
 fi
 if [[ "$1" == "show-defaults" ]]; then
    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    printf "User: %s\n" "$DEFAULT_USER"
    printf "Expected hosts for playbook: %s\n" "$DEFAULT_SKANSIBLE_PLAY_HOST"
    printf "Private SSH keys available throufh SSH agent: |\n%s\n" "$(ssh-add -l)"
 fi
 if [[ "$1" == "start-agent" ]]; then
    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    eval "$(ssh-agent -s)"
 fi
 if [[ "$1" == "populate-agent" ]]; then
    shift 1
    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
-    if [[ -z "$1" ]]; then
+    if [[ "$1" == "all" ]]; then
        for SKANSIBLE_SSH_KEY in ~/.ssh/*; do
            case $SKANSIBLE_SSH_KEY in
                *.pub);;
@@ -39,12 +44,21 @@ if [[ "$1" == "populate-agent" ]]; then
                *) ssh-add "${SKANSIBLE_SSH_KEY}";;
            esac
        done
-    else
+    elif [[ "$1" == "select" ]]; then
        for key in "${SKANSIBLE_SSH_KEY_COLLECTION[@]}"; do
            ssh-add "$key"
        done
    elif [[ -z "$1" ]]; then
        # @TODO improve by adding fuzzy querying or file finding pror
        ssh-add "$1"
    fi
 fi
 if [[ "$1" == "list-agent" ]]; then
    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    ssh-add -l
 fi
 if [[ "$1" == "init" ]]; then
    shift 1
Author	SHA1	Message	Date
Alex Tavarez	0dd0633166	hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent	2026-06-17 14:42:16 -04:00
Alex Tavarez	9945330b82	added task block to prompt user for a fallback password if given root password is null	2026-06-17 14:40:35 -04:00
Alex Tavarez	f4399a2c8a	added task block to prompt user for a fallback password if given user password is null	2026-06-17 14:40:17 -04:00
Alex Tavarez	596b828e6f	changed SSH key queries to dedicated SSH keys, and automated password creation, for staging; removed token to be prompted instead	2026-06-17 14:39:10 -04:00
Alex Tavarez	13ef8fa459	made ungrouped hosts be two machines for staging or more	2026-06-17 14:36:26 -04:00