From 8766af831c50a8b2298d23dbe35ca3a78eab3269 Mon Sep 17 00:00:00 2001
From: counterweight <counterweightoperator@protonmail.com>
Date: Wed, 9 Jul 2025 00:32:51 +0200
Subject: [PATCH] a few things

---
 01_infra_setup.md                                     |  2 +-
 ansible/infra/01_user_and_access_setup_playbook.yml   | 11 +++++++++--
 ...y.yml.yml => setup_backup_vaultwarden_to_lapy.yml} |  0
 3 files changed, 10 insertions(+), 3 deletions(-)
 rename ansible/services/vaultwarden/{setup_backup_vaultwarden_to_lapy.yml.yml => setup_backup_vaultwarden_to_lapy.yml} (100%)

diff --git a/01_infra_setup.md b/01_infra_setup.md
index 1642d40..b34549e 100644
--- a/01_infra_setup.md
+++ b/01_infra_setup.md
@@ -22,7 +22,7 @@ This describes how to prepare each machine before deploying services on them.
 
 ### Source the VPS
 
-* The guide is agnostic to which provider you pick, but has been tested with VMs from https://lnvps.net.
+* The guide is agnostic to which provider you pick, but has been tested with VMs from https://99stack.com and contains some operations that are specifically relevant to their VPSs.
 * The expectations are that the VPS ticks the following boxes:
   + Runs Debian 12 bookworm.
   + Has a public IP4 and starts out with SSH listening on port 22.
diff --git a/ansible/infra/01_user_and_access_setup_playbook.yml b/ansible/infra/01_user_and_access_setup_playbook.yml
index ed8918b..a812242 100644
--- a/ansible/infra/01_user_and_access_setup_playbook.yml
+++ b/ansible/infra/01_user_and_access_setup_playbook.yml
@@ -29,7 +29,7 @@
 
     - name: Copy current user's authorized_keys to new user
       copy:
-        src: "/home/{{ ansible_user }}/.ssh/authorized_keys"
+        src: "{{ (ansible_user == 'root') | ternary('/root/.ssh/authorized_keys', '/home/' + ansible_user + '/.ssh/authorized_keys') }}"
         dest: "/home/{{ new_user }}/.ssh/authorized_keys"
         owner: "{{ new_user }}"
         group: "{{ new_user }}"
@@ -58,8 +58,15 @@
             line: "PasswordAuthentication no",
           }
 
+    - name: Ensure PasswordAuthentication is set to no in cloud-init config
+      lineinfile:
+        path: /etc/ssh/sshd_config.d/50-cloud-init.conf
+        regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+        create: yes
+        backup: yes
+
     - name: Restart SSH
       service:
         name: ssh
         state: restarted
-
diff --git a/ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml.yml b/ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml
similarity index 100%
rename from ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml.yml
rename to ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml