add basic.yml apt.yml and sshd.yaml

roles/common/tasks/apt.yml

@@ -0,0 +1,130 @@
+---
+
+- name: (apt.yml) update configuration file - /etc/apt/sources.list
+  template:
+    src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
+    dest: /etc/apt/sources.list
+    owner: root
+    group: root
+    mode: 0644
+  register: apt_config_updated
+  when: apt_manage_sources_list|bool
+  tags:
+    - apt-configuration
+
+- name: (apt.yml) apt update
+  apt:
+    update_cache: true
+    cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
+  when: apt_update|bool
+  tags:
+    - apt-update
+    - apt-upgrade
+    - apt-dpkg-configure
+    - apt-initial-install
+    - apt-microcode
+    - apt-compiler-pkgs
+    - apt-webserver-pkgs
+
+- name: (apt.yml) dpkg --configure
+  command: >
+    dpkg --configure -a
+  args:
+    warn: false
+  changed_when: _dpkg_configure.stdout_lines | length
+  register: _dpkg_configure
+  when: apt_dpkg_configure|bool
+  tags:
+    - apt-dpkg-configure
+    - apt-initial-install
+    - apt-microcode
+    - apt-compiler-pkgs
+    - apt-webserver-pkgs
+
+- name: (apt.yml) apt upgrade
+  apt:
+    upgrade: "{{ apt_upgrade_type }}"
+    update_cache: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_upgrade|bool
+  tags:
+    - apt-upgrade
+    - apt-initial-install
+    - apt-microcode
+    - apt-compiler-pkgs
+    - apt-webserver-pkgs
+
+- name: (apt.yml) Initial install debian packages (stretch)
+  apt:
+    name: "{{ apt_initial_install_stretch }}"
+    state: "{{ apt_install_state }}"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "9"
+  tags:
+    - apt-initial-install
+
+- name: (apt.yml) Initial install debian packages (buster)
+  apt:
+    name: "{{ apt_initial_install_buster }}"
+    state: "{{ apt_install_state }}"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "10"
+  tags:
+    - apt-initial-install
+
+- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
+  apt:
+    name: "{{ microcode_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}-backports"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "9"
+    - ansible_facts['processor']|string is search("Intel")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) Install CPU microcode (debian buster)
+  apt:
+    name: "{{ microcode_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release }}"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "10"
+    - ansible_facts['processor']|string is search("Intel")
+  tags:
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) Remove unwanted packages
+  apt:
+    name: "{{ apt_remove }}"
+    state: absent
+    purge: "{{ apt_remove_purge }}"
+  tags:
+    - apt-remove
+
+- name: (apt.yml) autoremove
+  apt:
+    autoremove: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_autoremove|bool
+  tags:
+    - apt-autoremove
+    - apt-initial-install
+    - apt-microcode
+
+- name: (apt.yml) clean
+  command: apt-get -y clean
+  args:
+    warn: false
+  changed_when: false
+  when: apt_clean|bool
+  tags:
+    - apt-clean
+    - apt-initial-install
+    - apt-microcode

roles/common/tasks/basic.yml

@@ -0,0 +1,45 @@
+---
+
+- name: (basic.yml) Ensure timezone is is correct
+  timezone: name={{ time_zone }}
+  tags:
+    - timezone
+
+
+- name: (basic.yml) Ensure locales are present
+  locale_gen:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ locales }}"
+  tags:
+    - locales
+
+- name: (basic.yml) Create a symbolic link /bin/sh -> bash
+  file:
+    src: bash
+    dest: /bin/sh
+    owner: root
+    group: root
+    state: link
+  tags:
+    - symlink-sh
+
+- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
+  stat:
+    path: /etc/systemd/system
+  register: etc_systemd_system_conf
+  when:
+    - set_default_limit_nofile|bool == true
+
+- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
+  lineinfile:
+    dest: /etc/systemd/system.conf
+    state: present
+    regexp: '^DefaultLimitNOFILE'
+    line: 'DefaultLimitNOFILE=1048576'
+    insertafter: '^#DefaultLimitNOFILE'
+  when:
+    - set_default_limit_nofile|bool == true
+    -  etc_systemd_system_conf.stat.exists == true
+  tags:
+    - systemd-nofiles

roles/common/tasks/main.yml

@@ -1,6 +1,34 @@
 ---
 
 
+# tags supported inside basic.yml
+#
+#    timezone
+#    locales
+#    systemd-nofiles
+- import_tasks: basic.yml
+  tags:
+    - basic
+
+# tags supported inside sshd.yml
+#
+#    sshd-config
+- import_tasks: sshd.yml
+  tags: sshd
+
+# tags supported inside apt.yml
+#
+#   apt-update
+#   apt-upgrade
+#   apt-dpkg-configure
+#   apt-initial-install
+#   apt-microcode
+#   apt-remove
+#   apt-autoremove
+#   apt-clean
+- import_tasks: apt.yml
+  tags: apt
+
 # tags supported inside nfs.yml:
 #
 #    nfs-server

roles/common/tasks/sshd.yml

@@ -0,0 +1,28 @@
+---
+
+- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
+  stat:
+    path: /etc/ssh/sshd_config.ORIG
+  register: etc_sshd_sshd_config_ORIG
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
+  command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
+  when: etc_sshd_sshd_config_ORIG.stat.exists == False
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T'
+    #backup: yes
+  notify: "Restart ssh"
+  tags:
+    - sshd-config
+