biiiiig update !

tasks/date.yml

@@ -1,18 +0,0 @@
----
-- name: base | install ntp
-  apt:
-    name: ntp
-    state: present
-  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int < 13
-
-- name: base | ensure ntp is running
-  service:
-    name: ntp
-    state: started
-    enabled: yes
-  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int < 13
-
-- name: base | set date
-  shell: 
-    cmd: /usr/bin/timedatectl set-timezone Europe/Paris
-  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int >= 13

tasks/datetime.yml

@@ -0,0 +1,31 @@
+---
+- name: datetime | install ntp
+  apt:
+    name: ntp
+    state: present
+  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int < 13
+
+- name: datetime | ensure ntp is running
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int < 13
+
+- name: datetime | install systemd-timesyncd
+  apt:
+    name: systemd-timesyncd
+    state: present
+  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int >= 13
+
+- name: datetime | ensure systemd-timesyncd is running
+  service:
+    name: systemd-timesyncd
+    state: started
+    enabled: yes
+  when: ansible_distribution == 'Debian' and ansible_distribution_major_version | int >= 13
+
+- name: datetime | set date
+  timezone:
+    name: "{{ timezone | default('Europe/Paris') }}"
+  when: ansible_os_family == 'Debian'

tasks/main.yml

@@ -10,8 +10,14 @@
 - name: base | configure locales
   include_tasks: locales.yml
 
-#- name: base | install pip3 packages
-#  include_tasks: pip.yml
+- name: base | install python packages
+  include_tasks: pip.yml
+
+- name: base | install needrestart
+  include_tasks: needrestart.yml
+
+- name: base | configure SSH
+  include_tasks: ssh.yml
 
 - name: base | set datetime
-  include_tasks: date.yml
+  include_tasks: datetime.yml

tasks/needrestart.yml

@@ -0,0 +1,21 @@
+---
+- name: needrestart | install
+  apt:
+    name: needrestart
+    state: present
+    update_cache: true
+
+- name: needrestart | configure auto restart
+  copy:
+    dest: /etc/needrestart/conf.d/override.conf
+    content: |
+      $nrconf{restart} = 'a';
+    mode: '0644'
+
+- name: needrestart | configure exclusions
+  template:
+    src: needrestart_exclude.j2
+    dest: /etc/needrestart/conf.d/exclude.conf
+    mode: '0644'
+  when: needrestart_exclude is defined
+

tasks/packages.yml

@@ -7,6 +7,8 @@
   with_items:
     - bash-completion
     - bsd-mailx
+    - cron
+    - cron-daemon-common
     - curl
     - deborphan
     - git-core
@@ -14,10 +16,11 @@
     - iotop
     - less
     - locales
-    - needrestart
     - net-tools
     - ncdu
     - python3-pip
+    - python3-venv
+    - python3-xyz
     - rsync
     - rsyslog
     - screen

tasks/pip.yml

@@ -1,5 +1,5 @@
 ---
-- name: pip3 | install package
+- name: python | install package (legacy)
   pip:
     name: 
       - ps_mem
@@ -7,3 +7,45 @@
     executable: pip3
   when:
     - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version | int < 12
+
+- name: python | install python3-venv
+  apt:
+    name: python3-venv
+    state: present
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version | int >= 12
+
+- name: python | create venv directory
+  file:
+    path: /opt/python/venv
+    state: directory
+    mode: '0755'
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version | int >= 12
+
+- name: python | install packages in venv
+  pip:
+    name: 
+      - ps_mem
+      - bpytop
+    virtualenv: /opt/python/venv/brainsys
+    virtualenv_command: /usr/bin/python3 -m venv
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version | int >= 12
+
+- name: python | link binaries
+  file:
+    src: "/opt/python/venv/brainsys/bin/{{ item }}"
+    dest: "/usr/local/bin/{{ item }}"
+    state: link
+  loop:
+    - ps_mem
+    - bpytop
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version | int >= 12
+

tasks/ssh.yml

@@ -0,0 +1,27 @@
+- name: SSH | configure root login restrictions
+  template:
+    src: sshd_root_conf.j2
+    dest: /etc/ssh/sshd_config.d/root.conf
+    mode: '0644'
+    validate: /usr/sbin/sshd -t -f %s
+  when: ssh_root_authorized_ips is defined
+
+- name: SSH | configure root authorized keys
+  template:
+    src: root_authorized_keys.j2
+    dest: "{{ ssh_root_authorized_keys_file | default('/root/.ssh/authorized_keys') }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssh_root_authorized_keys is defined
+
+- name: SSH | test SSH configuration
+  command: /usr/sbin/sshd -t
+  register: sshd_config_check
+  changed_when: false
+
+- name: SSH | reload SSH service
+  service:
+    name: ssh
+    state: reloaded
+  when: sshd_config_check.rc == 0