first-time.yml

- hosts: first_timers
  become: '{{ become }}'
  environment:
    DEBIAN_FRONTEND: noninteractive

  roles:
    - postfix
    - login-notify

  tasks:
    - name: Set hostname
      hostname:
        name: '{{ host_name }}'
        use: '{{ host_name_strategy }}'

    - name: Setup locale ru_RU.UTF-8
      locale_gen:
        name: ru_RU.UTF-8
        state: present

    - name: Setup timezone
      timezone:
        name: UTC

    - name: Apt update
      apt:
        update_cache: true
        cache_valid_time: 300

    - name: Apt upgrade
      apt:
        upgrade: dist

    - name: Apt cleanup
      apt:
        clean: true
        autoclean: true
        autoremove: true

    - name: Install basic software
      apt:
        name:
          - zsh
          - curl
          - tmux
          - htop
          - python3
          - ca-certificates
        state: latest
        install_recommends: false

    - name: Create remote user
      user:
        name: '{{ remote_user }}'
        password: '!'
        password_lock: true
        shell: /bin/zsh
        state: present

    - name: SSH copy ID
      authorized_key:
        key: '{{ default_public_key }}'
        user: '{{ remote_user }}'
        state: present
        exclusive: true

    - name: Allow remote user to have passwordless sudo
      lineinfile:
        dest: /etc/sudoers
        state: present
        line: '%{{ remote_user }} ALL=(ALL) NOPASSWD: ALL'

    - name: Disallow login as root, step 1
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: 'PermitRootLogin yes'
        state: absent

    - name: Disallow login as root, step 2
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: 'PermitRootLogin no'
        state: present

    - name: Disallow login with password, step 1
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: 'PasswordAuthentication yes'
        state: absent

    - name: Disallow login with password, step 2
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: 'PasswordAuthentication no'
        state: present

    - name: Add .zshrc
      copy:
        content: ''
        dest: '/home/{{ remote_user }}/.zshrc'
        owner: '{{ remote_user }}'

    - name: Reload SSH
      service:
        name: ssh
        state: reloaded