ansible-collection-debian/roles/os_base/tasks/main.yml

---

- name: Display os_base role
  ansible.builtin.debug:
    var: role_config
    verbosity: 1
  vars:
    role_config:
      system_accounts: "{{ system_accounts }}"
      system_packages: "{{ system_packages }}"
      system_hostname: "{{ system_hostname }}"
      system_domain: "{{ system_domain }}"
      system_fqdn: "{{ system_fqdn }}"
      tasks:
        - "Configure system hostname, domain and fqdn"
        - Ensure system security groups are present
        - Create system users from system_accounts
        - Ensure ssh keys are correctly deployed
        - Configure APT preferences in minimal mode
        - Install base packages
        - Configure sudo, add wheel group, allow passwordless
  tags:
    - config_show

# Configure system fqdn
# ==========================
- name: Configure system hostname in /etc/hosts
  ansible.builtin.lineinfile:
    path: /etc/hosts
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  register: machine_name_changed
  loop:
    - regexp: '^127\.0\.1\.1(\t\s)*'
      line: '127.0.1.1  {{ system_fqdn }} {{ system_hostname }}'
      state: present
    - regexp: '^{{ system_real_address }}(\t\s)*'
      line: "{{ system_real_address }} {{ system_real_fqdn }} {{ system_real_fqdn|split('.')|first }}"
      state: >-
        {{ 
        ( system_real_address|d('') != '' )
        | ternary('present', 'absent')
        }}

- name: "Apply system hostname (changed={{ machine_name_changed.changed }})"
  ansible.builtin.shell:
    cmd: "test '{{ ansible_check_mode|lower }}' == true || hostnamectl set-hostname {{ system_hostname }}"
  when: machine_name_changed.changed
  changed_when: true
  check_mode: false


# Configure groups and users
# ==========================

- name: Ensure system security groups exists
  ansible.builtin.group:
    name: "{{ item }}"
    state: present
    system: true
  loop:
    - wheel
    - sudo
  loop_control:
    label: "Ensure group: {{ item }}"

- name: Create users
  user:
    name: "{{ item.name }}"
    append: true
    groups: "{{ item.groups | default([]) }}"
    state: "{{ item.state | default('present') }}"
    shell: "{{ item.shell | default('/bin/bash') }}"
    system: "{{ _system }}"
    comment: "{{ item.comment | default(omit) }}"
    createhome: true
    home: "{{ item.home | default('/home/' + item.name ) }}"
    uid: "{{ item.uid | default(omit) }}"
  loop: "{{ system_accounts }}"
  loop_control:
    label: "Create {{ _system | ternary('system', 'regular')  }} user: {{ item.name }} ({{ item.uid }}, {{item.comment|d('No comments')}}"
  vars:
    _system: "{{ item.system | default(False) }}"

- name: Deploy all ssh keys
  ansible.posix.authorized_key:
    user: "{{ _user_name }}"
    state: "{{ _sshkey_state }}"
    key: "{{ _sshkey }}"
    follow: true
    path: "{{ _home_dir }}/.ssh/authorized_keys"
  loop: "{{ system_accounts|selectattr('sshkeys', 'defined') | subelements('sshkeys') }}"
  loop_control:
    label: "Deploy '{{ _user_name }}' public key: {{ _sshkey_comment }}"
  vars:
    _user_name: "{{ item.0.name }}"
    _home_dir: "{{ item.0.home | default('/home/' + item.0.name ) }}"
    _sshkey_state: "{{ item.0.sshkey_state | default('present') }}"
    _sshkey: "{{ item.1 }}"
    _sshkey_comment: "{{ _sshkey | split(' ') | last }}"


# Configure package manager
# ==========================

#- name: Configure APT preferences
#  copy:
#    dest: "/etc/apt/apt.conf.d/{{ item.name }}"
#    content: "{{ item.content }}"
#  loop:
#    - name: 01-norecommend
#      content: |
#        APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(0, 1) }}";
#    - name: 02-suggest
#      content: |
#        APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(0, 1) }}";
#  loop_control:
#    label: "Ensure APT preference: {{ item.content }}"

- name: Ensure apt only install minimal packages
  copy:
    dest: /etc/apt/apt.conf.d/90_install_mode
    content: |
      # Ansible managed
      APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(1, 0) }}";
      APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(1, 0) }}";


- name: Install base tools
  package:
    name: "{{ system_packages }}"
  ignore_errors: "{{ ansible_check_mode }}"


# Configure sudo
# ==============

- name: Prepare sudo config for wheel group
  copy:
    dest: "/etc/sudoers.d/wheel"
    mode: "0440"
    content: |
      Defaults:%wheel !requiretty
      %wheel    ALL=(ALL) NOPASSWD: ALL

- name: Add managed users to sudo with password
  user:
    name: "{{ item.name }}"
    append: true
    groups:
      - sudo
  with_items: "{{ system_accounts }}"
  loop_control:
    label: "Add user to sudo group: {{ item.name }}"
  when: "'sudo' in perm"
  vars:
    perm: "{{ item.permissions | default([]) }}"

- name: Add managed users to sudo without password
  user:
    name: "{{ system_accounts[0].name }}"
    append: true
    groups:
      - wheel
  when: "'sudo_nopass' in perm"
  vars:
    perm: "{{ item.permissions | default([]) }}"