--- - name: Display os_base role ansible.builtin.debug: var: role_config verbosity: 1 vars: role_config: system_accounts: "{{ system_accounts }}" system_packages: "{{ system_packages }}" system_hostname: "{{ system_hostname }}" system_domain: "{{ system_domain }}" system_fqdn: "{{ system_fqdn }}" tasks: - "Configure system hostname, domain and fqdn" - Ensure system security groups are present - Create system users from system_accounts - Ensure ssh keys are correctly deployed - Configure APT preferences in minimal mode - Install base packages - Configure sudo, add wheel group, allow passwordless tags: - config_show # Configure system fqdn # ========================== - name: Configure system hostname in /etc/hosts ansible.builtin.lineinfile: path: /etc/hosts regexp: '^127\.0\.1\.1 ' line: '127.0.1.1 {{ system_fqdn }} {{ system_hostname }}' state: present register: machine_name_changed - name: "Apply system hostname (changed={{ machine_name_changed.changed }})" ansible.builtin.shell: cmd: "test '{{ ansible_check_mode|lower }}' == true || hostnamectl set-hostname {{ system_hostname }}" when: machine_name_changed.changed changed_when: true check_mode: false # Configure groups and users # ========================== - name: Ensure system security groups exists ansible.builtin.group: name: "{{ item }}" state: present system: true loop: - wheel - sudo loop_control: label: "Install package: {{ item }}" - name: Create users user: name: "{{ item.name }}" append: true groups: "{{ item.groups | default([]) }}" state: "{{ item.state | default('present') }}" shell: "{{ item.shell | default('/bin/bash') }}" system: "{{ _system }}" comment: "{{ item.comment | default(omit) }}" createhome: true home: "{{ item.home | default('/home/' + item.name ) }}" uid: "{{ item.uid | default(omit) }}" loop: "{{ system_accounts }}" loop_control: label: "Create {{ _system | ternary('system', 'regular') }} user: {{ item.name }} ({{ item.uid }}, {{item.comment|d('No comments')}}" vars: _system: "{{ item.system | default(False) }}" - name: Deploy all ssh keys ansible.posix.authorized_key: user: "{{ _user_name }}" state: "{{ _sshkey_state }}" key: "{{ _sshkey }}" follow: true path: "{{ _home_dir }}/.ssh/authorized_keys" loop: "{{ system_accounts|selectattr('sshkeys', 'defined') | subelements('sshkeys') }}" loop_control: label: "Deploy '{{ _user_name }}' public key: {{ _sshkey_comment }}" vars: _user_name: "{{ item.0.name }}" _home_dir: "{{ item.0.home | default('/home/' + item.0.name ) }}" _sshkey_state: "{{ item.0.sshkey_state | default('present') }}" _sshkey: "{{ item.1 }}" _sshkey_comment: "{{ _sshkey | split(' ') | last }}" # Configure package manager # ========================== - name: Configure APT preferences copy: dest: "/etc/apt/apt.conf.d/{{ item.name }}" content: "{{ item.content }}" loop: - name: 01-norecommend content: | APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(0, 1) }}"; - name: 02-suggest content: | APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(0, 1) }}"; loop_control: label: "Ensure APT preference: {{ item.content }}" - name: Install base tools package: name: "{{ system_packages }}" ignore_errors: "{{ ansible_check_mode }}" # Configure sudo # ============== - name: Prepare sudo config for wheel group copy: dest: "/etc/sudoers.d/wheel" mode: "0440" content: | Defaults:%wheel !requiretty %wheel ALL=(ALL) NOPASSWD: ALL - name: Add managed users to sudo with password user: name: "{{ item.name }}" append: true groups: - sudo with_items: "{{ system_accounts }}" loop_control: label: "Add user to sudo group: {{ item.name }}" when: "'sudo' in perm" vars: perm: "{{ item.permissions | default([]) }}" - name: Add managed users to sudo without password user: name: "{{ system_accounts[0].name }}" append: true groups: - wheel when: "'sudo_nopass' in perm" vars: perm: "{{ item.permissions | default([]) }}"