Supports SSH-over-LAN in v2->v3 Onion migration

The dynamic logic to accommodate for SSH-over-LAN includes the
"restrict-direct-access" role, which assumes that Onion Services already
exist on the remote host. That's not the case when migrating from v2 to
v3 Onion services, so let's override the dynamic include logic to
instruct the role *not* to wait for the hostname files to be created.

Later in the playbook, the restrict-direct-access role will run without
the override, fetching back the client auth config that now exists,
since the tor role will also have run by this point.

install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml

@@ -21,6 +21,11 @@ admin_net_int:
     cmd: "/sbin/route -n get "
     rgx: "(?<=interface: )\\w+"
 
+# Whether to fetch back client-auth settings from the remote hosts.
+# We make this conditional to support disabling during dynamic role includes,
+# required for the ssh-over-lan strategy.
+fetch_tor_client_auth_configs: true
+
 # v2 Tor onion services are on / v3 Tor onion services are off by default for backwards
 # compatibility. Note that new install after 1.0 will have v3 enabled by sdconfig which
 # will override these variables.

install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - include: fetch_tor_config.yml
+  when: fetch_tor_client_auth_configs
 
 - include: dh_moduli.yml
 

install_files/ansible-base/securedrop-prod.yml

@@ -37,6 +37,9 @@
     - name: Include restrict role early when using ssh over localnet
       include_role:
         name: restrict-direct-access
+      vars:
+        # Don't wait for tor client auth, might not exist yet
+        fetch_tor_client_auth_configs: false
       when:
         - not enable_ssh_over_tor
         - sd_dir_check.stat.exists