ansible-server-setup/roles/common/tasks/main.yml

---
- name: Get package facts
  ansible.builtin.package_facts:

- name: Get service facts
  ansible.builtin.service_facts:

- name: Add default ssh keys
  ansible.posix.authorized_key:
    key: "{{ lookup('file', '{{ ssh_keyfile }}') }}"
    user: "{{ remote_user }}"
    state: present
    exclusive: true
  when: "'mothershipbu.lyon' not in inventory_hostname"

- name: Add default ssh keys - mothershipbu
  ansible.posix.authorized_key:
    key: "{{ lookup('file', 'keys-mothershipbu') }}"
    user: "{{ remote_user }}"
    state: present
    exclusive: true
  when: "'mothershipbu.lyon' in inventory_hostname"

- name: Disable password ssh auth
  ansible.builtin.lineinfile:
    path: "/etc/ssh/sshd_config"
    regexp: '^PasswordAuthentication'
    line: 'PasswordAuthentication no'
    backrefs: true
  notify: restart ssh service - {{ ansible_distribution_file_variety }}

- name: Automatic security updates - debian
  ansible.builtin.package:
    name: unattended-upgrades
    state: present
  when: ansible_distribution_file_variety == "Debian"

- name: Automatic security updates - redhat
  ansible.builtin.package:
    name: dnf-automatic
    state: present
  when: ansible_distribution_file_variety == "RedHat"

- name: Configure automatic security updates step 01 - redhat
  ansible.builtin.lineinfile:
    path: "/etc/dnf/automatic.conf"
    regexp: '^upgrade_type ='
    line: 'upgrade_type = security'
    backrefs: true
  when: ansible_distribution_file_variety == "RedHat"

- name: Configure automatic security updates step 02 - redhat
  ansible.builtin.lineinfile:
    path: "/etc/dnf/automatic.conf"
    regexp: '^apply_updates ='
    line: 'apply_updates = yes'
    backrefs: true
  when: ansible_distribution_file_variety == "RedHat"

- name: Enable and start dnf-automatic.timer - redhat
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: dnf-automatic.timer
  when: ansible_distribution_file_variety == "RedHat"