Fixing SSH passphrase

inventory/dev/group_vars/all.yml

@@ -4,4 +4,3 @@ docker_users:
 docker_install_compose: true
 docker_install_compose_plugin: true
 server_name: "{{ ansible_fqdn | default(ansible_hostname) }}"
-ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"

inventory/dev/group_vars/semaphore.yml

@@ -3,10 +3,9 @@ semaphore_web_root: 'https://controller'
 semaphore_db_host: '127.0.0.1'
 nginx_add_repo: false
 
-ssh_passphrase: "SomethingYouNeedToUse"
+ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"
 
 use_docker: true
-use_podman: false
 use_opentofu: true
 use_powershell: false
 use_terraform: false

inventory/local/group_vars/all.yml

@@ -2,4 +2,3 @@
 docker_install_compose: true
 docker_install_compose_plugin: true
 server_name: "{{ lookup('env', 'HOSTNAME') }}"
-ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"

inventory/local/group_vars/semaphore.yml

@@ -3,7 +3,7 @@ semaphore_web_root: 'https://20.224.75.82'
 semaphore_db_host: '127.0.0.1'
 nginx_add_repo: false
 
-ssh_passphrase: "SomethingYouNeedToUse"
+ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"
 
 use_docker: true
 use_opentofu: false

inventory/test/group_vars/all.yml

@@ -2,4 +2,3 @@
 docker_install_compose: true
 docker_install_compose_plugin: true
 server_name: acsNode
-ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"

inventory/test/group_vars/semaphore.yml

@@ -1,3 +1,11 @@
 ---
 semaphore_web_root: 'https://controller'
 nginx_add_repo: false
+
+ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"
+
+use_docker: true
+use_opentofu: true
+use_powershell: false
+use_terraform: false
+terraform_ver: 1.9.8

provision.yml

@@ -10,17 +10,20 @@
 
   pre_tasks:
     - name: Lookup DB_PASS in environment variables
+      when: desired_state is not defined or desired_state == 'absent'
       ansible.builtin.set_fact:
         check_db_pass: "{{ lookup('env', 'DB_PASS') }}"
       no_log: true
 
     - name: Assert that DB_PASS is defined
+      when: desired_state is not defined or desired_state == 'absent'
       ansible.builtin.assert:
         that:
           - check_db_pass | length > 8
         msg: |
           run this shell command before this playbook:
-          export DB_PASS=aVeryStrongDatabasePassword
+          read -sp "Enter database password: " DB_PASS && export DB_PASS ; echo
+      no_log: true
 
   roles:
     - role: postgres
@@ -30,6 +33,7 @@
   become: true
   gather_facts: true
   tags: [tools]
+
   tasks:
     - name: Install Docker
       when: use_docker | bool
@@ -51,14 +55,6 @@
       ansible.builtin.include_role:
         name: andrewrothstein.terraform
 
-- name: Semaphore in Systemd
-  hosts: semaphore
-  become: true
-  gather_facts: true
-  roles:
-    - role: semaphore
-      tags: [semaphore]
-
 - name: Reverse Proxy
   hosts: web
   become: true
@@ -67,6 +63,30 @@
     - role: nginx
       tags: [nginx]
 
+- name: Semaphore in Systemd
+  hosts: semaphore
+  become: true
+  gather_facts: true
+  tags: [semaphore]
+
+  pre_tasks:
+    - name: Lookup SSH_PASS in environment variables
+      ansible.builtin.set_fact:
+        ssh_passphrase: "{{ lookup('env', 'SSH_PASS') }}"
+      no_log: true
+
+    - name: Assert that SSH_PASS is defined
+      ansible.builtin.assert:
+        that:
+          - ssh_passphrase | length > 8
+        msg: |
+          run this shell command before this playbook:
+          read -sp "Enter ssh key passphrase: " SSH_PASS && export SSH_PASS ; echo
+      no_log: true
+
+  roles:
+    - role: semaphore
+
 - name: Configure Semaphore
   hosts: semaphore
   become: true

roles/api/tasks/credentials.yml

@@ -1,15 +1,20 @@
 ---
 
-- name: "Read Ansible SSH key from system"
+- name: Assert that ssh_passphrase.length > 8
+  ansible.builtin.assert:
+    that: ssh_passphrase | length > 8
+    msg: ssh_passphrase needs to conform
+
+- name: Read Ansible SSH key from system
   ansible.builtin.slurp:
     path: "/home/semaphore/.ssh/id_ed25519"
   register: "ssh_key_ansible"
   no_log: "{{ not debug }}"
 
-- name: "Configure Key Store"
+- name: Configure Key Store
   block:
 
-    - name: "Determine keys"
+    - name: Determine keys
       changed_when: false
       check_mode: false
       ansible.builtin.uri:
@@ -18,9 +23,9 @@
         headers:
           Cookie: "{{ cookie }}"
         status_code: 200
-      register: "semaphore_keystores"
+      register: semaphore_keystores
 
-    - name: "Create SSH key for Controller"
+    - name: Create SSH key for Controller
       changed_when: "semaphore_key_ansible_created.status == 204"
       ansible.builtin.uri:
         url: "{{ semaphore_api_url }}/project/{{ semaphore_project_id }}/keys"
@@ -45,7 +50,7 @@
       when:
         - "semaphore_keystores.json | selectattr('name', 'equalto', 'Controller-ssh-key') | length == 0"
 
-    - name: "Read ssh key from system"
+    - name: Read ssh key from system
       delegate_to: localhost
       connection: local
       become: false
@@ -55,7 +60,7 @@
       register: "ssh_key_github"
       failed_when: false
 
-    - name: "Create SSH key for GitHub"
+    - name: Create SSH key for GitHub
       changed_when: "semaphore_key_github_created.status == 204"
       ansible.builtin.uri:
         use_proxy: false

roles/requirements.yml

@@ -9,4 +9,4 @@ roles:
     version: 1.0.0
   - src: bbaassssiiee.nginx_ssl
     name: nginx
-    version: 1.0.0
+    version: 1.0.1

roles/semaphore/tasks/absent.yml

@@ -41,6 +41,7 @@
   ansible.builtin.user:
     name: semaphore
     state: absent
+    force: true
 
 - name: Remove semaphore package
   ansible.builtin.package:

roles/semaphore/tasks/present.yml

@@ -15,6 +15,11 @@
     policy: targeted
     state: permissive
 
+- name: Assert that ssh_passphrase.length > 8
+  ansible.builtin.assert:
+    that: ssh_passphrase | length > 8
+    msg: "{{ ssh_passphrase }} needs to conform."
+
 - name: Create semaphore user
   ansible.builtin.user:
     name: semaphore
@@ -122,7 +127,7 @@
   notify:
     - Restart semaphore
 
-- name: Create semaphoreui SELinux policy
+- name: Create Semaphoreui SELinux policy
   when: piet is defined
   block:
     - name: Copy policy files