made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible

added task informing user of needed actions to take advantage of now-avaialble vim plugins
fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes
2026-06-18 19:20:56 -04:00 · 2026-06-18 19:19:23 -04:00 · 2026-06-18 19:18:26 -04:00 · 2026-06-18 19:17:16 -04:00 · 2026-06-18 19:16:26 -04:00 · 2026-06-18 19:14:14 -04:00
12 changed files with 142 additions and 98 deletions
--- a/group_vars/armitage_test.yml
+++ b/group_vars/armitage_test.yml
@@ -1,12 +1,6 @@
 # @TODO create inventory group variables akin to structure of sukaato group's for homeserver
 # <str<vault>> representing password for Linux root user account of VPS
-password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          32333335343939653231313938666134306338356633393035363039373465386165313666383262
-          6465313738316635633332623765336563626165336330370a616634393266366430363663333066
-          63373165346236386632393866316164623133373761303262643734356433646661636533666266
-          3834643765613937300a326365643961626236386261303933643965333565623836313231346537
-          3030
+password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test', encrypt='sha512_crypt') }}"
 # <str> representing hostname for LAN server; same as host or group variable name
 instance: armitage
 # <str<enum>> representing Linux distro or OS image to be used for VPS 
@@ -14,28 +8,19 @@ instance: armitage
 operating_system: ~
 # <list[<str>]> of control node or local SSH key basenames
 ssh_keys:
-  - ed25519@sukaato.hikiki
-  - ecdsa@sukaato.hikiki
+  - ed25519@staging
+  - ecdsa@staging
 # <list<dict>> list of administrative users (in Linux, users that can use "sudo")
 admins:
  - username: senpai # <str> arbitrary valid user name
    services: ~ # <list[<str>]> if linux system user, assocated servce
    # <list[<str>]> list of control node or local SSH key basenames for this user
    ssh_keys:
-      - ecdsa-37851076-sk@sukaato.hikiki
-      - ecdsa-37851072-sk@sukaato.hikiki
+      # @TODO add secondary and teriary Yubikeys
+      - ecdsa-37851076-sk@staging
+      - ed25519-37851076-sk@staging
    # <str<vault?>> hashed (and maybe salted) password
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          34636132613365646330653431653236303563623464316638643439373761366564663264613738
-          3033343264373264333362616434333465323439653134340a643066663832353965313434386639
-          38366263646638353632656431366638393939623537326233306132306436363338373161643433
-          3439653833333164390a303430616561356464393030353433303738383730643330323031373432
-          62386231653339616436383837383966643539353036353034363132633539643332386131613537
-          31356230383561663735363530393562363237343166323635666665386165633130653864646238
-          39323735386161646531323335393639353630376136663063393930326434346435343937623336
-          33336132663238326662323536326638333139313535373166636363336366663962373936383536
-          62303536363939316563646630633064306364366331623665646533633065336236
+    password: "{{ lookup('password', '../.tmp/senpai@armitage_test.pass', seed='senpai:armitage_test', encrypt='sha512_crypt') }}"
 # <dict[<str>:<dict>]> package groups
 pkgs:
  # <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -98,14 +83,6 @@ pkgs:
        suites: ~
        comps: ~
        handler: ~
-      - name: vim
-        uri: ~
-        sources: ~
-        sigkey: ~
-        types: ~
-        suites: ~
-        comps: ~
-        handler: vim
      - name: vim-vimwiki
        uri: ~
        sigkey: ~
@@ -185,7 +162,7 @@ pkgs:
        types: ~
        suites: ~
        comps: ~
-        handler: ~
+        handler: crowdsec
      - name: glow
        uri: ~
        sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -403,6 +380,14 @@ pkgs:
        comps: ~
        handler: ~
    userspace:
+      - name: vim
+        uri: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
+        handler: vim
      - name: neovim
        uri: ~
        sources: ~
--- a/group_vars/sukaato_test.yml
+++ b/group_vars/sukaato_test.yml
@@ -1,22 +1,7 @@
 # <str<vault>> representing password for Linux root user account of VPS
-password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          66353462633933306537323461663665643234306166366663653163306436333037313032306338
-          3762653037396437633835356630656438623163656536310a306163663234383265386133396634
-          34363163343766623739646334643031373239373630663731376239333764346531396363636131
-          6163343335356337660a366337336632333236326532373032353332333636366638616265356562
-          66616534303035386134623535373935373065326539363065623230633034313433
+password: "{{ lookup('password', './.tmp/sukaato_test.pass', seed='sukaato_test', encrypt='sha512_crypt') }}"
 # <str<vault>> representing API token for VPS cloud service
-token: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          33333839333337323062326231626534616166646666343261343966636464346630363033653130
-          3035653864396363376633346362353239643939663462370a323935353061313563336435366331
-          30393463653661326539326234646438663133616634663439303932656137633839656533376433
-          3666643635613039390a323138393033623131326438616331386539666333613630316263613636
-          66663263373665343662393638623064356234646165343835623966643761333562323132396466
-          63363436333463653130323531343139316466316131313031343232343039396261616231376232
-          66383938333661363532303166306563396634663132396166646132663131373738396131626633
-          34393265343061356531
+token: ~
 # <str> representing name and hostname of VPS to be made in VPS cloud service
 instance: sukaato
 # <str<enum>> representing region options from or for given VPS cloud service
@@ -25,28 +10,19 @@ origin: us-east
 operating_system: linode/debian13
 # <list[<str>]> list of control node or local SSH key basenames for root user
 ssh_keys:
-  - ed25519@sukaato.hikiki
-  - ecdsa@sukaato.hikiki
+  - ed25519@staging
+  - ecdsa@staging
 # <list<dict>> list of administrative users (in Linux, users that can use "sudo")
 admins:
  - username: senpai # <str> arbitrary valid user name
    services: ~ # <list[<str>]> if linux system user, assocated servce
    # <list[<str>]> list of control node or local SSH key basenames for this user
    ssh_keys:
-      - ecdsa-37851076-sk@sukaato.hikiki
-      - ecdsa-37851072-sk@sukaato.hikiki
+      # @TODO add secondary and teriary Yubikeys
+      - ecdsa-37851076-sk@staging
+      - ed25519-37851076-sk@staging
    # <str<vault?>> hashed (and maybe salted) password
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          31663265653031323833373663653132653532646638316465393364613961643130653330393062
-          6165386239303965386261363565353137636164356130370a336465353931373564393339363561
-          37353162333331663833656631663165356134633961323337663439663733316231666334336539
-          6537373334326634610a623037613462663733343230306538386561363838316638623365636533
-          32313931666439363435663161663665346266653763343265376366383837376436643163376430
-          39393861613037333766386138376335653334363737626664383236303234653461313230383564
-          33393834636165386562383435666233313664656233326364616237636230303264363732376639
-          64396564366335366430303031323865333635306536346463386334303235386438663061343934
-          37376466373566396130366330383834323332626166316661336339346462343466
+    password: "{{ lookup('password', './.tmp/senpai@sukaato_test.pass', seed='senpai:sukaato_test', encrypt='sha512_crypt') }}"
 # <dict[<str>:<dict>]> package groups
 pkgs:
  # <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -181,14 +157,6 @@ pkgs:
        suites: ~
        comps: ~
        handler: ~
-      - name: vim
-        uri: ~
-        sources: ~
-        sigkey: ~
-        types: ~
-        suites: ~
-        comps: ~
-        handler: vim
      - name: git
        uri: ~
        sources: ~
@@ -212,7 +180,7 @@ pkgs:
        types: ~
        suites: ~
        comps: ~
-        handler: ~
+        handler: crowdsec
      - name: glow
        uri: ~
        sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -359,6 +327,14 @@ pkgs:
        comps: ~
        handler: headscale
    userspace:
+      - name: vim
+        uri: ~
+        sources: ~
+        sigkey: ~
+        types: ~
+        suites: ~
+        comps: ~
+        handler: vim
      - name: neovim
        uri: ~
        sigkey: ~
--- a/hosts.yml.example
+++ b/hosts.yml.example
@@ -1,18 +1,20 @@
 # @TODO use hosts and host groupings that refer or point to VM or containerized servers for testing
 ungrouped:
  hosts:
-    staging:
-      ansible_host: ~ # IP address of test host
+    staging0:
+      ansible_host: ~
+    staging1:
+      ansible_host: ~
 sukaato:
  hosts: ~
 sukaato_test:
  hosts:
-    staging:
+    staging0:
 armitage:
  hosts: ~
 armitage_test:
  hosts:
-    staging:
+    staging1:
 vps:
  children:
    sukaato:
--- a/init@vps.yml
+++ b/init@vps.yml
@@ -31,6 +31,8 @@
      ansible.builtin.include_role:
        name: init-server
        tasks_from: ssh-users
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
    - name: Update hostname
      become: true
      ansible.builtin.hostname:
@@ -39,7 +41,14 @@
      become: true
      ansible.builtin.command:
        cmd: "hostnamectl set-icon-name computer-server"
+    - name: Notifying user that all processes have finished
+      ansible.builtin.debug:
+        msg: All processes finished. Hit enter to reboot machine.
+    - name: Ensuring user has read prior message regarding upcoming reboot
+      ansible.builtin.pause:
    - name: Rebooting machine for hostname change
      become: true
      ansible.builtin.reboot:
-        msg: "Rebooting machine"
+        msg: "Rebooting machine.."
+        connect_timeout: 0
+        test_command: ~
--- a/roles/init-server/handlers/core.yml
+++ b/roles/init-server/handlers/core.yml
@@ -5,10 +5,10 @@
  ansible.builtin.debug:
    msg: "No post-installaton or additional installation steps needed--continuing..."
  listen: default
- name: Setting up ViM
+- name: Setting up Crowdsec
  ansible.builtin.include_tasks:
-    file: tasks/contingent/pkg/vim.yml
-  listen: vim
+    file: tasks/contingent/pkg/crowdsec.yml
+  listen: crowdsec
 - name: Setting up Headscale
  ansible.builtin.include_tasks:
    file: tasks/contingent/pkg/headscale.yml
--- a/roles/init-server/handlers/userspace.yml
+++ b/roles/init-server/handlers/userspace.yml
@@ -5,6 +5,10 @@
  ansible.builtin.debug:
    msg: "No post-installaton or additional installation steps needed--continuing..."
  listen: default
+- name: Setting up ViM
+  ansible.builtin.include_tasks:
+    file: tasks/contingent/pkg/vim.yml
+  listen: vim
 - name: Settng up NeoViM
  ansible.builtin.include_tasks:
    file: tasks/contingent/pkg/neovim.yml
--- a/roles/init-server/tasks/contingent/pkg/crowdsec.yml
+++ b/roles/init-server/tasks/contingent/pkg/crowdsec.yml
@@ -1,3 +1,10 @@
+- name: Restarting SystemD service
+  become: true
+  ansible.builtin.systemd_service:
+    name: crowdsec
+    scope: system
+    enabled: true
+    state: started
 - name: Changing the address and port of the Crowdsec server
  become: true
  ansible.builtin.lineinfile:
@@ -11,7 +18,7 @@
  become: true
  ansible.builtin.lineinfile:
    path: /etc/crowdsec/config.yaml
-    regexp: "^ {2}listen_uri"
+    regexp: "^ {2}listen_addr"
    line: "  listen_addr: localhost"
    owner: root
    group: root
@@ -24,4 +31,10 @@
    line: "url: http://localhost:{{ crowdsec.port }}"
    owner: root
    group: root
-    mode: "644"
+    mode: "644"
+- name: Restarting SystemD service
+  become: true
+  ansible.builtin.systemd_service:
+    name: crowdsec
+    scope: system
+    state: restarted
--- a/roles/init-server/tasks/contingent/pkg/headscale.yml
+++ b/roles/init-server/tasks/contingent/pkg/headscale.yml
@@ -32,6 +32,7 @@
    cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}'"
  # vars:
  #   default_pfp: ~
+  loop: "{{ tail.users }}"
  register: headscale_registration
  changed_when:
    - "'User created' in headscale_registration.stdout"
--- a/roles/init-server/tasks/contingent/pkg/vim.yml
+++ b/roles/init-server/tasks/contingent/pkg/vim.yml
@@ -19,6 +19,7 @@
        recurse: true
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
+        mode: "755"
        state: directory
      loop:
        - autoload
@@ -30,7 +31,7 @@
  become_user: "{{ current_user.stdout }}"
  ansible.builtin.uri:
    url: "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim"
-    dest: "{{ ansible_user_home.stdout }}/.vim/autoload/"
+    dest: "{{ ansible_user_home.stdout }}/.vim/autoload/plug.vim"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    force: true
@@ -46,4 +47,9 @@
    group: "{{ ansible_user }}"
    force: true
    backup: true
-  # @TODO run command to make sure plugins referenced in 'vimrc' are installed
+- name: Informing user of need to manually run PlugInstall in ViM
+  ansible.builtin.debug:
+    msg: "Make sure to run \":PlugInstall\" the first time you open/use ViM"
+- name: Pausing to ensure user has read message about needed manual PlugInstall execution for ViM
+  ansible.builtin.pause:
+    seconds: 30
--- a/roles/init-server/tasks/spawn.yml
+++ b/roles/init-server/tasks/spawn.yml
@@ -18,20 +18,41 @@
  ansible.builtin.set_fact:
    root_pubkeys: "{{ root_pubkeys | default([]) + [lookup('file', item)] }}"
  loop: "{{ root_pubkey_paths }}"
+- name: Ensuring password is defined for root user
+  when: prehashed_password is undefined or prehashed_password == None
+  block:
+    - name: Prompting for password for or of root user
+      when: password is undefined or password == None
+      ansible.builtin.pause:
+        prompt: "Provide a password for the root user"
+        echo: false
+      register: prompted_password
+    - name: Getting the inputted password for root user
+      when: prompted_password is defined or prompted_password != None
+      ansible.builtin.set_fact:
+        prehashed_password: "{{ prompted_password.user_input }}"
 - name: Bootstrapping VPS
  block:
+    - name: Ensuring token is available for VPS service API
+      when: token is undefined or token == None
+      ansible.builtin.pause:
+        prompt: "Provide the API token for the given VPS service"
+        echo: false
+      register: prompted_token
    - name: Creating VPS via Linode VPS service API
      block:
        - name: Creating the VPS
          linode.cloud.instance:
-            api_token: "{{ token }}"
+            api_token: "{{ token | prompted_token.user_input }}"
            label: "{{ instance }}"
            type: g6-standard-2
            image: "{{ operating_system }}"
            disk_encryption: enabled
            region: "{{ origin }}"
            private_ip: true
-            root_pass: "{{ password }}"
+            # @TODO find out if 'root_pass' attribute takes in hashed or plaintext password
+            # root_pass: "{{ password | default((prehashed_password | lookup('password_hash', hashtype='sha512'))) }}" # IF HASHED
+            root_pass: "{{ password | default(prehashed_password) }}" # IF PLAINTEXT
            authorized_keys: "{{ root_pubkeys }}"
            state: present
          register: new_instance
@@ -43,7 +64,6 @@
            timeout: 300
          vars:
            ansible_ssh_private_key_file: "{{ chosen_privkey | default(ssh_keypairs.files | rejectattr('path', 'search', '\\.pub$') | map(attribute='path') | list | random) }}" # @TODO define 'chosen_privkey'in playbook
-            ansible_user: root
          loop: "{{ new_instance.instance[ip_pref] }}"
      tags:
        - linode
@@ -66,8 +86,6 @@
          ansible.builtin.wait_for_connection:
            delay: 20
            timeout: 300
-          vars:
-            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
        - name: Checking if that server has required operating system
          delegate_to: "{{ item }}"
@@ -76,8 +94,6 @@
          when: ansible_facts["system"] != "Linux" and item is ansible.utils['ip_pref']
          ansible.builtin.fail:
            msg: Unsupported operating system found
-          vars:
-            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
        - name: Checking if that server has required Linux distro
          delegate_to: "{{ item }}"
@@ -86,19 +102,16 @@
          when: ansible_facts["system"] == "Linux" and ansible_facts["os_family"] != "Debian" and item is ansible.utils['ip_pref']
          ansible.builtin.fail:
            msg: Unsupported Linux distro found
-          vars:
-            ansible_user: root
          loop: "{{ groups[instance] | default(hostvars[instance]) }}"
    - name: Providing authorized keys for server root account
      delegate_to: "{{ item[0] }}"
      delegate_facts: true
+      become: true
      remote_user: root
      ansible.posix.authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ lookup('file', item[1]) }}"
        state: present
-      vars:
-        ansible_user: root
      loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
  tags:
    - lan
--- a/roles/init-server/tasks/ssh-users.yml
+++ b/roles/init-server/tasks/ssh-users.yml
@@ -16,6 +16,27 @@
      register: remote_group
      tags:
        - lan
+    - name: Managing passwords
+      when: prehashed_passwords is undefined or prehashed_passwords == None
+      block:
+        - name: Acquiring users lacking passwords
+          ansible.builtin.set_fact:
+            passwordless_admins: "{{ admins | selectattr('password', '==', 'null') | list }}"
+        - name: Pausing to acquire password for a user
+          when: item.password is undefined or item.password == None
+          ansible.builtin.pause:
+            prompt: "Provide a password for the administrative user, {{ item.username }}"
+            echo: false
+          loop: "{{ passwordless_admins }}"
+          register: prompted_passwords
+        - name: Processing inputted password per user
+          when: prompted_passwords is defined and prompted_passwords != None
+          ansible.builtin.set_fact:
+            prehashed_passwords: "{{ (prompted_passwords.results | default([])) | map(attribute='user_input') | list }}"
+        - name: Pairing inputted passwords with associated user
+          when: prehashed_passwords is defined or prehashed_passwords != None
+          ansible.builtin.set_fact:
+            prehashed_passwords: "{{ dict(passwordless_admins | map(attribute='username') | zip(prehashed_passwords) | list) }}"
    - name: Creating an administrative user
      become: true
      ansible.builtin.user:
@@ -27,7 +48,7 @@
        append: true
        generate_ssh_key: true
        create_home: true
-        password: "{{ item.password }}"
+        password: "{{ item.password | default((prehashed_passwords[item.username] | password_hash(hashtype='sha512'))) }}"
        shell: "/bin/bash"
      loop: "{{ admins }}"
      register: admin_users
--- a/skato-ansible.sh
+++ b/skato-ansible.sh
@@ -8,25 +8,30 @@ SKANSIBLE_DEBUG=1
 SKANSIBLE_UNIT_TEST=1
 DEFAULT_USER=senpai
 DEFAULT_SKANSIBLE_PLAY_HOST=vps
+SKANSIBLE_SSH_KEY_COLLECTION=(~/.ssh/ed25519\@staging ~/.ssh/ecdsa\@staging ~/.ssh/ed25519-37851076-sk\@staging ~/.ssh/ecdsa-37851076-sk\@staging)

 if [[ "$1" == "version" ]]; then
    echo "0.0.0"
 fi

 if [[ "$1" == "show-defaults" ]]; then
+    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    printf "User: %s\n" "$DEFAULT_USER"
    printf "Expected hosts for playbook: %s\n" "$DEFAULT_SKANSIBLE_PLAY_HOST"
    printf "Private SSH keys available throufh SSH agent: |\n%s\n" "$(ssh-add -l)"
 fi

 if [[ "$1" == "start-agent" ]]; then
+    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    eval "$(ssh-agent -s)"
 fi

 if [[ "$1" == "populate-agent" ]]; then
    shift 1
+
+    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
    
-    if [[ -z "$1" ]]; then
+    if [[ "$1" == "all" ]]; then
        for SKANSIBLE_SSH_KEY in ~/.ssh/*; do
            case $SKANSIBLE_SSH_KEY in
                *.pub);;
@@ -39,12 +44,21 @@ if [[ "$1" == "populate-agent" ]]; then
                *) ssh-add "${SKANSIBLE_SSH_KEY}";;
            esac
        done
-    else
+    elif [[ "$1" == "select" ]]; then
+        for key in "${SKANSIBLE_SSH_KEY_COLLECTION[@]}"; do
+            ssh-add "$key"
+        done
+    elif [[ -z "$1" ]]; then
        # @TODO improve by adding fuzzy querying or file finding pror
        ssh-add "$1"
    fi
 fi

+if [[ "$1" == "list-agent" ]]; then
+    source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
+    ssh-add -l
+fi
+
 if [[ "$1" == "init" ]]; then
    shift 1
Author	SHA1	Message	Date
Alex Tavarez	bd3029b914	made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible	2026-06-18 19:20:56 -04:00
Alex Tavarez	57a3e876b8	added task informing user of needed actions to take advantage of now-avaialble vim plugins	2026-06-18 19:19:23 -04:00
Alex Tavarez	1ce6879abf	fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes	2026-06-18 19:18:26 -04:00
Alex Tavarez	9ea7fb37b0	fixed missing loop variable for headscale user registration task	2026-06-18 19:17:16 -04:00
Alex Tavarez	7584027890	moved VIM and Crowdsec setup handler listener, former due to now being userspace package group installation, latter due to needing to precede headscale handler tasks	2026-06-18 19:16:26 -04:00
Alex Tavarez	a78613920c	moved vim to userspace package group, referenced crowdsec handler, added password hashing/encryption	2026-06-18 19:14:14 -04:00
Alex Tavarez	0dd0633166	hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent	2026-06-17 14:42:16 -04:00
Alex Tavarez	9945330b82	added task block to prompt user for a fallback password if given root password is null	2026-06-17 14:40:35 -04:00
Alex Tavarez	f4399a2c8a	added task block to prompt user for a fallback password if given user password is null	2026-06-17 14:40:17 -04:00
Alex Tavarez	596b828e6f	changed SSH key queries to dedicated SSH keys, and automated password creation, for staging; removed token to be prompted instead	2026-06-17 14:39:10 -04:00
Alex Tavarez	13ef8fa459	made ungrouped hosts be two machines for staging or more	2026-06-17 14:36:26 -04:00