Disable plaintext ssh auth.

README.md

@@ -8,8 +8,8 @@ None.
 
 ## Role Variables
 
-There is one variable, which is the list of packages to install.
+Extra packages can be installed by using the custom list:
 
 ```yaml
-sysadmin_packages: []
+sysadmin_packages_custom: []
 ```

defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 sysadmin_packages: []
+sysadmin_packages_custom: []

tasks/main.yml

@@ -1,22 +1,43 @@
 ---
-- import_tasks: setup-Debian.yml
-  when: ansible_os_family == 'Debian'
-
-- import_tasks: setup-RedHat.yml
-  when: ansible_os_family == 'RedHat'
-
-- import_tasks: setup-Arch.yml
-  when: ansible_os_family == 'Archlinux'
-
 - name: Load a variable file based on the OS type, or a default if not found.
   include_vars: "{{ item }}"
   with_first_found:
-    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
     - "{{ ansible_distribution }}.yml"
     - "{{ ansible_os_family }}.yml"
-    - "Debian.yml"
+    - "default.yml"
 
 - name: Ensure sysadmin utility packages are installed.
   ansible.builtin.package:
     state: present
     name: "{{ sysadmin_packages }}"
+
+- name: Ensure custom sysadmin utility packages are installed.
+  ansible.builtin.package:
+    state: present
+    name: "{{ sysadmin_packages_custom }}"
+  when: sysadmin_packages_custom | length > 0
+
+- name: Generate ed25519 SSH host key
+  ansible.builtin.command:
+    cmd: ssh-keygen -A
+    creates: /etc/ssh/ssh_host_ed25519_key
+
+- name: Prefer ed25519 HostKeys in sshd_config
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regex: 'HostKey /etc/ssh/ssh_host_ed25519_key'
+    line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
+    state: present
+  notify: restart ssh
+
+- name: Disable plaintext password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regex: 'PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+    state: present
+  notify: restart ssh
+
+- name: "Set up {{ ansible_os_family }}-based systems"
+  include_tasks: "setup-{{ ansible_os_family }}.yml"

tasks/setup-Arch.yml

@@ -1,4 +0,0 @@
----
-- name: Set timezone to UTC
-  community.general.timezone:
-    name: UTC

tasks/setup-Archlinux.yml

@@ -0,0 +1,10 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
+
+- name: Update package database
+  community.general.pacman:
+    update_cache: yes
+    upgrade: yes
+  tags: upgrade

tasks/setup-Debian.yml

@@ -3,7 +3,7 @@
   community.general.timezone:
     name: UTC
 
-- name: Let root authenticate via ssh pubkey, Ubuntu.
+- name: Let root authenticate via ssh pubkey, Ubuntu
   ansible.builtin.replace:
     path: /root/.ssh/authorized_keys
     regexp: '^no.*(ssh.*)$'
@@ -14,7 +14,7 @@
     path: /etc/apt/apt.conf.d/20auto-upgrades
   register: unattended_upgrade
 
-- name: Ensure apt automatic upgrades are not enabled.
+- name: Ensure apt automatic upgrades are not enabled
   lineinfile:
     path: /etc/apt/apt.conf.d/20auto-upgrades
     regexp: 'APT::Periodic::Unattended-Upgrade "1";'
@@ -33,26 +33,18 @@
   delay: 6
   retries: 10
 
-- name: Only run "update_cache=yes" if the last one is more than 3600 seconds ago
+- name: Upgrade all packages
   ansible.builtin.apt:
     update_cache: yes
     cache_valid_time: 3600
+    upgrade: yes
 
-#- name: Update Linux Kernel
+- name: Update sources.list to select a fast mirror on Ubuntu
-#  ansible.builtin.apt:
+  ansible.builtin.replace:
-#    name: linux-image-amd64
+    path: /etc/apt/sources.list
-#    state: latest
+    regexp: 'http://.*archive.ubuntu.com/ubuntu'
-#  register: kernel_version
+    replace: 'mirror://mirrors.ubuntu.com/mirrors.txt'
-#
+  when: ansible_distribution == 'Ubuntu'
-#- name: Reboot a slow machine that might have lots of updates to apply
-#  ansible.builtin.reboot:
-#    reboot_timeout: 3600
-#  when: kernel_version is changed
-
-- name: Update all packages to their latest version
-  ansible.builtin.apt:
-    name: '*'
-    state: latest
 
 - name: Remove dependencies that are no longer required
   ansible.builtin.apt:

vars/Archlinux.yml

@@ -0,0 +1,34 @@
+---
+sysadmin_packages:
+  - bash-completion
+  - curl
+  - dnsutils
+  - doas
+  - dosfstools
+  - ffmpeg
+  - file
+  - git
+  - gnupg
+  - htop
+  - jq
+  - mediainfo
+  - mtr
+  - net-tools
+  - netcat
+  - nginx
+  - p7zip
+  - parted
+  - pass
+  - psmisc
+  - rsync
+  - smartmontools
+  - tcpdump
+  - tmux
+  - tree
+  - unzip
+  - vi
+  - vim
+  - vim
+  - wget
+  - which
+  - whois

vars/Debian-12.yml

@@ -0,0 +1,20 @@
+---
+sysadmin_packages:
+  - curl
+  - file
+  - bind9-dnsutils
+  - git
+  - gpg
+  - htop
+  - nftables
+  - iputils-ping
+  - jq
+  - net-tools
+  - netcat-traditional
+  - psmisc
+  - python-is-python3
+  - rsync
+  - tcpdump
+  - tmux
+  - tree
+  - vim

vars/Debian.yml

@@ -1,11 +1,12 @@
 ---
 sysadmin_packages:
   - curl
+  - file
   - dnsutils
   - git
   - gpg
   - htop
-  - iptables
+# - iptables
   - iputils-ping
   - jq
   - net-tools

vars/RedHat-7.yml

@@ -0,0 +1,11 @@
+---
+sysadmin_packages:
+  - psmisc
+  - git
+  - net-tools
+  - psmisc
+  - rsync
+  - tcpdump
+  - tmux
+  - tree
+  - vim

vars/default.yml

@@ -0,0 +1,18 @@
+---
+sysadmin_packages:
+  - curl
+  - file
+  - dnsutils
+  - git
+  - gpg
+  - htop
+  - jq
+  - net-tools
+  - netcat
+  - psmisc
+  - python-is-python3
+  - rsync
+  - tcpdump
+  - tmux
+  - tree
+  - vim