From 79737b8598700e0d2453108c905e861ff6ce0e85 Mon Sep 17 00:00:00 2001
From: Maksym Buz <buz.maxim@gmail.com>
Date: Sun, 4 Jan 2026 11:55:56 +0100
Subject: [PATCH] feat: Inject SSH public keys during LXC creation and switch
 to key-based authentication.

---
 playbooks/create_lxc.yml | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/playbooks/create_lxc.yml b/playbooks/create_lxc.yml
index 235e580..0ed23c2 100644
--- a/playbooks/create_lxc.yml
+++ b/playbooks/create_lxc.yml
@@ -40,7 +40,8 @@
         ostemplate: '{{ proxmox_storage }}:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst'
         vmid: "{{ container_id }}"
         hostname: "{{ container_name }}"
-        password: "{{ ansible_password }}" 
+        password: "{{ ansible_password }}"
+        pubkey: "{{ my_public_keys | join('\n') }}"
         netif:
           net0: "name=eth0,gw=10.0.0.1,ip={{ container_ip_cidr }},bridge=vmbr0"
         cores: "{{ container_cores }}"
@@ -75,12 +76,8 @@
         groups: new
         ansible_host: "{{ container_ip_cidr | split('/') | first }}"
         ansible_user: root
-        ansible_ssh_pass: "{{ ansible_password }}"
-        # We need to ignore host key checking for the fresh container to avoid interactive prompt
-        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
-
-        ansible_ssh_pass: "{{ ansible_password }}"
-        # We need to ignore host key checking for the fresh container to avoid interactive prompt
+        ansible_user: root
+        # Removed ansible_ssh_pass - we rely on the injected key
         ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
 
 - name: Secure and Configure New Container
@@ -88,15 +85,17 @@
   gather_facts: no
   vars:
     # We must explicitly use the password here because the 'new' group in inventory might not have it set
-    ansible_ssh_pass: "{{ hostvars[inventory_hostname]['ansible_ssh_pass'] | default(ansible_password) }}"
+    # We use the key for the initial root connection, NOT the password
+    # Set ansible_ssh_private_key_file if needed, otherwise it uses the agent
     ansible_user: root
+    ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
   vars_files:
     - "../vars.yml"
   tasks:
-    - name: Wait for connection
-      wait_for_connection:
-        timeout: 60
-
+    # Updated to verify SSH key works, not password
+    - name: Verify we can connect (ping)
+      ping:
+      
     - name: Create user '{{ target_user }}'
       ansible.builtin.user:
         name: '{{ target_user }}'
@@ -157,4 +156,4 @@
           {{ hostvars[item]['inventory_hostname'] }} ansible_host={{ hostvars[item]['ansible_host'] }}
         insertafter: "^\\[lxc\\]"
         marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HOST {{ hostvars[item]['inventory_hostname'] }}"
-      loop: "{{ groups['new'] }}"
+      loop: "{{ groups['new'] }}"
\ No newline at end of file