From 2b258105e80eae3df2896f1694b8b718abd53e48 Mon Sep 17 00:00:00 2001
From: Tobias Petrich <tobias@rohrschacht.de>
Date: Sat, 27 Dec 2025 17:46:43 +0100
Subject: [PATCH] make more idempotent and extend README.md

---
 ansible/README.md                             | 46 ++++++++++++++++++-
 ansible/roles/hardening/tasks/ssh.yml         |  1 +
 .../rootless_host/tasks/rootless_ports.yml    |  1 +
 .../roles/services/tasks/enable_linger.yml    | 12 ++++-
 .../roles/services/tasks/enable_service.yml   |  4 +-
 ansible/roles/services/tasks/main.yml         |  5 +-
 ansible/roles/services/tasks/setup.yml        |  5 ++
 ansible/roles/services/vars/main.yml          | 10 ++--
 8 files changed, 74 insertions(+), 10 deletions(-)

diff --git a/ansible/README.md b/ansible/README.md
index 53949b8..77d95e6 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -8,6 +8,8 @@ they are handled as specific for how each user accesses a specific host.
 (Vaulted) Variables for the services are stored in the group_vars,
 they are shared between all administrators of the host.
 
+Vaults can be automatically decrypted using a GPG key (best using a connected Yubikey).
+
 ## Requirements
 
 Create vars and vault file for accessing the host following this structure.
@@ -27,8 +29,50 @@ ansible_become_method: sudo
 ansible_become_pass: EXAMPLE
 ```
 
+## Automatic vault decryption setup
+
+Vaults can have a Vault ID, which is specified in the vault file. Just change the starting line in the file
+`$ANSIBLE_VAULT;1.2;AES256` to `$ANSIBLE_VAULT;1.2;AES256;podman_hosts`.
+
+Assumption: The GPG key ID intended for use is D5AF83DDD5F8523A.
+
+Create an encrypted GPG file called `vault-passwords.gpg` for the GPG key you will be using with content like this:
+```text
+VAULT_ID1 vault_password1
+VAULT_ID2 vault_password2
+```
+
+This can be created ad-hoc using either fish or bash.
+Fish supports a command called `psub` which can be used to pipe the output of a command into a file securely.
+Bash can be used with a cat heredoc.
+
+### fish
+```fish
+gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg (psub)
+```
+Then in the psub editor, enter the content:
+```text
+VAULT_ID1 vault_password1
+VAULT_ID2 vault_password2
+```
+
+
+### bash
+```bash
+gpg --quiet --encrypt --recipient D5AF83DDD5F8523A --output vault-passwords.gpg <<EOF
+VAULT_ID1 vault_password1
+VAULT_ID2 vault_password2
+EOF
+```
+
+In the ansible.cfg, the passwords of vaults with specified IDs are configured to be retrieved from
+`lookup-secret-client.bash`, which in turn looks for the encrypted `vault-passwords.gpg` file.
+
+If you add more vaults, add them line-by-line with their Vault ID and password to the encrypted `vault-passwords.gpg`
+file, and add them to the comma-separated list vault_identity_list in `ansible.cfg`.
+
 ## Usage
 
 ```shell
-ansible-playbook main.yml
+ansible-playbook -i inventories/production/hosts.yml main.yml
 ```
diff --git a/ansible/roles/hardening/tasks/ssh.yml b/ansible/roles/hardening/tasks/ssh.yml
index d809468..bf88ffd 100644
--- a/ansible/roles/hardening/tasks/ssh.yml
+++ b/ansible/roles/hardening/tasks/ssh.yml
@@ -44,6 +44,7 @@
 - name: Verify SSH configuration settings
   shell: "sshd -T"
   register: ssh_config_result
+  changed_when: false
 
 - name: Check specific SSH settings
   debug:
diff --git a/ansible/roles/rootless_host/tasks/rootless_ports.yml b/ansible/roles/rootless_host/tasks/rootless_ports.yml
index 1995f9c..c377aaf 100644
--- a/ansible/roles/rootless_host/tasks/rootless_ports.yml
+++ b/ansible/roles/rootless_host/tasks/rootless_ports.yml
@@ -9,6 +9,7 @@
 - name: Verify the sysctl setting
   command: sysctl net.ipv4.ip_unprivileged_port_start
   register: sysctl_result
+  changed_when: false
 
 - debug:
     msg: "net.ipv4.ip_unprivileged_port_start: {{ sysctl_result.stdout }}"
diff --git a/ansible/roles/services/tasks/enable_linger.yml b/ansible/roles/services/tasks/enable_linger.yml
index 230c0a4..44a94b0 100644
--- a/ansible/roles/services/tasks/enable_linger.yml
+++ b/ansible/roles/services/tasks/enable_linger.yml
@@ -1,4 +1,14 @@
----
+- name: Check for existence of /var/lib/systemd/linger/{{ service_name }}
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ service_name }}"
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+    follow: false
+  register: linger_stat
+  changed_when: false
+
 - name: Enable linger for the user
   ansible.builtin.command:
     cmd: "loginctl enable-linger {{ service_name }}"
+  when: not linger_stat.stat.exists
diff --git a/ansible/roles/services/tasks/enable_service.yml b/ansible/roles/services/tasks/enable_service.yml
index 8f4357f..7d9ef8b 100644
--- a/ansible/roles/services/tasks/enable_service.yml
+++ b/ansible/roles/services/tasks/enable_service.yml
@@ -1,14 +1,16 @@
----
 - name: Check if service is already running
   ansible.builtin.command:
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active {{ systemd_service_name }}' | grep -qv inactive"
   register: service_status
   ignore_errors: yes
+  changed_when: false
+
 - name: Enable and start the main service
   ansible.builtin.command:
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user daemon-reload && systemctl --user start {{ systemd_service_name }}'"
   become: yes
   when: service_status.rc != 0 and (quadlet_files_copied.changed or force_systemd_restart)
+
 - name: Restart the main service
   ansible.builtin.command:
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user daemon-reload && systemctl --user restart {{ systemd_service_name }}'"
diff --git a/ansible/roles/services/tasks/main.yml b/ansible/roles/services/tasks/main.yml
index c03c651..b22c537 100644
--- a/ansible/roles/services/tasks/main.yml
+++ b/ansible/roles/services/tasks/main.yml
@@ -30,8 +30,9 @@
 
 - name: Enable linger for the user
   loop: "{{ services | dict2items }}"
-  ansible.builtin.command:
-    cmd: "loginctl enable-linger {{ item.key }}"
+  include_tasks: enable_linger.yml
+  vars:
+    service_name: "{{ item.key }}"
 
 - name: Copy Quadlet files
   loop: "{{ services | dict2items }}"
diff --git a/ansible/roles/services/tasks/setup.yml b/ansible/roles/services/tasks/setup.yml
index 37be521..ebee2f4 100644
--- a/ansible/roles/services/tasks/setup.yml
+++ b/ansible/roles/services/tasks/setup.yml
@@ -3,17 +3,22 @@
     cmd: "zypper se -i systemd-container"
   register: systemd_container_installed
   ignore_errors: yes
+  changed_when: false
+
 - name: Check if podman is installed
   ansible.builtin.command:
     cmd: "zypper se -i podman"
   register: podman_installed
   ignore_errors: yes
+  changed_when: false
+
 - name: Install software if not installed
   ansible.builtin.command:
     cmd: "transactional-update --non-interactive pkg in systemd-container podman"
   become: yes
   when: systemd_container_installed.rc != 0 or podman_installed.rc != 0
   register: software_installed
+
 - name: Reboot if software was installed
   ansible.builtin.reboot:
   when: software_installed.changed
\ No newline at end of file
diff --git a/ansible/roles/services/vars/main.yml b/ansible/roles/services/vars/main.yml
index f4636bf..134c627 100644
--- a/ansible/roles/services/vars/main.yml
+++ b/ansible/roles/services/vars/main.yml
@@ -16,12 +16,12 @@ services:
     systemd_service_name: "actual"
   nextcloud:
     systemd_service_name: "nextcloud-pod"
-    services_directories:
+    service_directories:
       - db
       - data
   paperless:
     systemd_service_name: "paperless-pod"
-    services_directories:
+    service_directories:
       - br
       - db
       - data
@@ -30,12 +30,12 @@ services:
       - consume
   bookstack:
     systemd_service_name: "bookstack-pod"
-    services_directories:
+    service_directories:
       - db
       - data
   rustdesk:
     systemd_service_name: "rustdesk-pod"
-    services_directories:
+    service_directories:
       - data
   languagetool:
     systemd_service_name: "languagetool"
@@ -43,6 +43,6 @@ services:
       - ngrams
   sgnarva:
     systemd_service_name: "sgnarva-pod"
-    services_directories:
+    service_directories:
       - sgnarvaweb
       - sgnarvadb