finlog-ansible/bootstrap-debian13.yml

---
- name: Finlog Bootstrap
  hosts: finlog_dev
  become: true
  gather_facts: false
  collections:
    - ansible.posix

  vars:
    dev_user: "bummsa"
    dev_user_pubkey: "{{ lookup('file', '~/.ssh/finlog-bummsa.pub') }}"

    base_packages:
      - sudo
      - vim
      - htop
      - curl
      - wget
      - git
      - unzip
      - ca-certificates
      - gnupg
      - lsb-release
      - openssh-server
      - iptables
      - iptables-persistent
      - netfilter-persistent

  tasks:
    - name: Update apt cache
      become: true
      ansible.builtin.apt:
        update_cache: yes

    - name: Install base packages
      ansible.builtin.apt:
        name: "{{ base_packages }}"
        state: present

    - name: Create dev user
      ansible.builtin.user:
        name: "{{ dev_user }}"
        shell: /bin/bash
        create_home: yes
        groups: sudo
        append: yes

    - name: Ensure /etc/sudoers.d directory exists
      ansible.builtin.file:
        path: /etc/sudoers.d
        state: directory
        mode: '0750'
        owner: root
        group: root

    - name: Add passwordless sudo for dev user
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/{{ dev_user }}"
        content: "{{ dev_user }} ALL=(ALL) NOPASSWD:ALL\n"
        owner: root
        group: root
        mode: '0440'
        validate: '/usr/sbin/visudo -cf %s'

    - name: Add SSH key for dev user
      ansible.posix.authorized_key:
        user: "{{ dev_user }}"
        key: "{{ dev_user_pubkey }}"
        state: present
        path: "/home/{{ dev_user }}/.ssh/authorized_keys"
      when: not ansible_check_mode

    - name: Show what would be done for SSH key in check mode
      ansible.builtin.debug:
        msg: "Would add SSH key to /home/{{ dev_user }}/.ssh/authorized_keys"
      when: ansible_check_mode

    - name: Upgrade system packages
      ansible.builtin.apt:
        upgrade: dist
        autoremove: yes
        autoclean: yes