ansible_linux_setup/roles/setup/tasks/main.yml

- name: Initial server setup
  tags: [setup, server]
  block:
    - name: Create default user
      user:
        name: "{{ default_user }}"
        password: "{{ default_user_password | password_hash('sha512') }}"
        groups: sudo
        create_home: yes
        shell: /bin/zsh
        generate_ssh_key: yes
        ssh_key_bits: 2048
        ssh_key_file: .ssh/id_rsa
        update_password: always
        state: present

    - name: Ensure sudo group has passwordless sudo privileges
      lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: "^%sudo"
        line: "%sudo ALL=(ALL) NOPASSWD:ALL"
        validate: "/usr/sbin/visudo -cf %s"

    - name: Upgrade apt packages
      apt:
        update_cache: yes
        upgrade: full

    - name: Install apt packages
      apt:
        name: "{{ packages_to_install }}"

    - name: Add Debian backports
      include_role:
        name: jnv.debian-backports

    - name: Add unattended-upgrades
      include_role:
        name: jnv.unattended-upgrades

    - name: Install mozilla/sops
      get_url:
        url: https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux
        dest: /usr/bin/sops
        mode: "0755"
        owner: root
        group: root

    - name: Enable dm_crypt module
      modprobe:
        name: dm_crypt
        state: present

    - name: Enable compress on logrotate
      lineinfile:
        dest: /etc/logrotate.conf
        regexp: "^#?compress"
        line: "compress"
        state: present

    - name: Configure timezone
      timezone:
        name: "{{ timezone }}"

    - name: Configure ntp client and restart it
      template:
        src: ntp.conf.j2
        dest: /etc/ntp.conf
      notify:
        - restart ntp
        - restart cron

    - name: Set up exim4 conf
      template:
        src: update-exim4.conf.conf.j2
        dest: /etc/exim4/update-exim4.conf.conf
        owner: root
        group: root
        mode: 0644

    - name: Set up exim4 password file
      template:
        src: passwd.client.j2
        dest: /etc/exim4/passwd.client
        owner: root
        group: Debian-exim
        mode: 0640

    - name: Set up exim4 localmacros
      copy:
        src: exim4.conf.localmacros
        dest: /etc/exim4/exim4.conf.localmacros
        owner: root
        group: root
        mode: 0644
      notify: restart exim4

    - name: Make fail2ban work with ufw
      lineinfile:
        dest: "{{ item }}"
        regexp: "^banaction"
        line: "banaction = ufw"
        state: present
      with_items:
        - /etc/fail2ban/jail.conf
        - /etc/fail2ban/jail.local
      notify:
        - restart fail2ban