- name: 'Get secrets'
  no_log: 'true'
  loop_control:
    loop_var: 'server'
  with_community.hashi_vault.vault_kv2_get:
    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
  ansible.builtin.set_fact:
    vault_data: '{{ server.secret }}'



- name: 'If a secret is missing fail progress'
  tags:
    - 'first_run'
    - 'never'
  include_role:
    name: '10-include-40-check-if-vault-var'
  vars:
    - inc_vault_data: '{{ vault_data }}'
    - fail_check:
      - 'initial_password'



- name: 'If first run: set SSH password'
  tags:
    - 'first_run'
    - 'never'
  no_log: 'true'
  ansible.builtin.set_fact:
    ansible_password: '{{ vault_data.initial_password }}'



- name: 'Make sure ''{{ root_home_dir_abs }}/.ssh'' exists with correct permissions'
  file:
    path: '{{ root_home_dir_abs }}/.ssh'
    state: 'directory'
    mode: 'u=rwX,go='
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'
    recurse: 'yes'



- name: 'Copy ''authorized_keys'' file to server'
  copy:
    src: 'root/.ssh/authorized_keys'
    dest: '{{ root_home_dir_abs }}/.ssh/authorized_keys'
    mode: '0600'
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'



- name: 'Copy ''known_hosts'' file to server'
  copy:
    src: 'root/.ssh/known_hosts'
    dest: '{{ root_home_dir_abs }}/.ssh/known_hosts'
    mode: '0600'
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'



- name: 'If on Red Hat or derivative OS: secure sshd'
  register: 'rv_secure_sshd'
  when: '(ansible_facts[''os_family''] | lower == ''redhat'')'
  blockinfile:
    block: "{{ lookup('file', 'etc/ssh/sshd_config') }}"
    dest: "/etc/ssh/sshd_config"
    state: 'present'
    insertbefore: 'BOF'
    marker: '{mark}'
    marker_begin: '####### Managed remotely via config management ####### quico-ops start'
    marker_end: '####### Managed remotely via config management ####### quico-ops end'
    validate: '/usr/sbin/sshd -T -f %s'
  notify:
    - 'Restart sshd.service'



- name: 'Flush handlers'
  meta: flush_handlers



- name: 'Reset connection'
  ansible.builtin.meta: 'reset_connection'



- name: 'Wait for SSH connection to return'
  when: '(rv_secure_sshd.changed)'
  ansible.builtin.wait_for_connection:
    connect_timeout: '1'
    delay: '1'
    sleep: '2'