---

# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.

# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass

- hosts: all

  vars:

    # created with:
    #
    #    echo -n 'E*********%' | ansible-vault encrypt_string --stdin-name 'ansible_become_password'
    #
    ansible_become_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          34396433383837666135346136643137633333316131633235353039613361626631346434653636
          6431366536663636323537633965306135343239626434660a386663353837396263333035356365
          32636236383566316565383137613232353066313032373430643631303433616265323566663165
          3539316363386538370a353937613535313538366562616334313566366332393532616630636133
          6562

  roles:
    - common