ansible/roles/base_os/tasks/main.yml

---
# Role: base_os
# Purpose: baseline OS config for app guests.

- name: Ensure apt cache is up to date
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 3600

- name: Install baseline packages
  ansible.builtin.apt:
    name: "{{ base_os_packages }}"
    state: present

- name: Ensure app user exists
  ansible.builtin.user:
    name: "{{ base_os_user }}"
    shell: "{{ base_os_user_shell }}"
    groups: "{{ base_os_user_groups }}"
    append: true
    create_home: true
    state: present

- name: Ensure app user has authorized SSH key
  ansible.posix.authorized_key:
    user: "{{ base_os_user }}"
    state: present
    key: "{{ base_os_user_ssh_public_key }}"
  when: base_os_user_ssh_public_key | length > 0

- name: Configure passwordless sudo for app user
  ansible.builtin.copy:
    dest: "/etc/sudoers.d/{{ base_os_user }}"
    content: "{{ base_os_user }} ALL=(ALL) NOPASSWD:ALL\n"
    owner: root
    group: root
    mode: "0440"
  when: base_os_passwordless_sudo | bool

- name: Ensure UFW allows SSH
  community.general.ufw:
    rule: allow
    port: "{{ base_os_allow_ssh_port }}"
    proto: tcp

- name: Ensure UFW allows backend port
  community.general.ufw:
    rule: allow
    port: "{{ base_os_backend_port }}"
    proto: tcp
  when: base_os_enable_backend | bool

- name: Ensure UFW allows frontend port
  community.general.ufw:
    rule: allow
    port: "{{ base_os_frontend_port }}"
    proto: tcp
  when: base_os_enable_frontend | bool

- name: Enable UFW (deny incoming by default)
  community.general.ufw:
    state: enabled
    policy: deny