init linux role

tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Load a variable file based on the OS type, or a default if not found.
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+    - "default.yml"
+
+- name: Ensure sysadmin utility packages are installed.
+  ansible.builtin.package:
+    state: present
+    name: "{{ sysadmin_packages }}"
+
+- name: Ensure custom sysadmin utility packages are installed.
+  ansible.builtin.package:
+    state: present
+    name: "{{ sysadmin_packages_custom }}"
+  when: sysadmin_packages_custom | length > 0
+
+- name: Generate ed25519 SSH host key
+  ansible.builtin.command:
+    cmd: ssh-keygen -A
+    creates: /etc/ssh/ssh_host_ed25519_key
+
+- name: Prefer ed25519 HostKeys in sshd_config
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regex: 'HostKey /etc/ssh/ssh_host_ed25519_key'
+    line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
+    state: present
+  notify: restart ssh
+
+- name: "Set up {{ ansible_os_family }}-based systems"
+  include_tasks: "setup-{{ ansible_os_family }}.yml"

tasks/setup-Archlinux.yml

@@ -0,0 +1,10 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
+
+- name: Update package database
+  community.general.pacman:
+    update_cache: yes
+    upgrade: yes
+  tags: upgrade

tasks/setup-Debian.yml

@@ -0,0 +1,51 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC
+
+- name: Let root authenticate via ssh pubkey, Ubuntu
+  ansible.builtin.replace:
+    path: /root/.ssh/authorized_keys
+    regexp: '^no.*(ssh.*)$'
+    replace: '\1'
+
+- name: Check for Unattended-Upgrade
+  ansible.builtin.stat:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+  register: unattended_upgrade
+
+- name: Ensure apt automatic upgrades are not enabled
+  lineinfile:
+    path: /etc/apt/apt.conf.d/20auto-upgrades
+    regexp: 'APT::Periodic::Unattended-Upgrade "1";'
+    line: 'APT::Periodic::Unattended-Upgrade "0";'
+  when: unattended_upgrade.stat.exists
+
+- name: Ensure unnecessary packages from Ubuntu are removed.
+  ansible.builtin.apt:
+    state: absent
+    name:
+      - snapd
+      - lxd-agent-loader
+      - modemmanager        # Curious: mmcli --list-modems
+  register: apt_status
+  until: apt_status is success
+  delay: 6
+  retries: 10
+
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600
+    upgrade: yes
+
+- name: Update sources.list to select a fast mirror on Ubuntu
+  ansible.builtin.replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://.*archive.ubuntu.com/ubuntu'
+    replace: 'mirror://mirrors.ubuntu.com/mirrors.txt'
+  when: ansible_distribution == 'Ubuntu'
+
+- name: Remove dependencies that are no longer required
+  ansible.builtin.apt:
+    autoremove: yes

tasks/setup-RedHat.yml

@@ -0,0 +1,4 @@
+---
+- name: Set timezone to UTC
+  community.general.timezone:
+    name: UTC