From 060065e04071152dbb9963da7ce3121eab002724 Mon Sep 17 00:00:00 2001
From: fencl <martin@martinfencl.eu>
Date: Fri, 3 Oct 2025 15:43:43 +0200
Subject: [PATCH] Refactor portainer.yml and miniplay: remove hardcoded
 passwords for security, update comments for clarity, and enhance task
 descriptions.

---
 host_vars/portainer.yml        | 12 +++---------
 nextcloud/collections/miniplay |  7 ++++---
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/host_vars/portainer.yml b/host_vars/portainer.yml
index 5183cb5..93d3e58 100644
--- a/host_vars/portainer.yml
+++ b/host_vars/portainer.yml
@@ -1,19 +1,13 @@
 ansible_user: howard
-ansible_password: "Papadopolus0"         # English: SSH password for howard@portainer
 ansible_connection: ssh
 ansible_port: 22
+ansible_ssh_private_key_file: "/var/lib/semaphore/.ssh/<tvuj_klic>"  # English: private key path on Semaphore host
 ansible_ssh_common_args: >-
   -o StrictHostKeyChecking=no
   -o UserKnownHostsFile=/dev/null
   -J root@192.168.69.2
 
-# English: We escalate to root via sudo.
+# Only keep become if needed:
 ansible_become: true
 ansible_become_method: sudo
-
-# English: SUDO password for howard (often same as SSH password; change if different).
-ansible_become_password: "Papadopolus0"
-
-# (Optional, for older installs—harmless to keep both)
-ansible_ssh_pass: "Papadopolus0"
-ansible_sudo_pass: "Papadopolus0"
\ No newline at end of file
+# ansible_become_password: "..."  # only if sudo requires password
\ No newline at end of file
diff --git a/nextcloud/collections/miniplay b/nextcloud/collections/miniplay
index adf06b1..f44f856 100644
--- a/nextcloud/collections/miniplay
+++ b/nextcloud/collections/miniplay
@@ -1,10 +1,11 @@
 ---
-- name: Sanity check SSH + sudo on portainer
+- name: Sanity: pure SSH and then sudo
   hosts: nextcloud_host
   gather_facts: false
 
   tasks:
-    - name: Who am I as SSH user?
+    - name: Who am I as SSH user? (no sudo)
+      become: false
       ansible.builtin.command: whoami
       changed_when: false
       register: who
@@ -12,7 +13,7 @@
     - ansible.builtin.debug:
         msg: "SSH user is: {{ who.stdout }}"
 
-    - name: Who am I with sudo?
+    - name: Who am I with sudo? (explicit become)
       become: true
       become_method: sudo
       ansible.builtin.command: whoami