Update common role

- Add secure-secure-shell task
- Add unattended-upgrades task
- Change package installation tasks
- Remove website tasks from generic services group

roles/common/tasks/main.yml

@@ -1,19 +1,11 @@
 ---
-- name: run apt-get update
-  apt: update_cache=yes
-  tags: 
-    - common
-
-- name: install common packages
-  apt: name={{ item }} state=latest
-  with_items:
-    - aptitude
-    - curl
-    - git
-    - mosh
-    - nano
-    - python
-    - wget
-    - zsh
-  tags: 
-    - common
+- include: pre-tasks.yml
+  tags: common
+- include: secure-secure-shell.yml
+  tags: common
+- include: unattended-upgrades.yml
+  tags: common
+- include: user-sanity.yml
+  tags: common
+- include: post-tasks.yml
+  tags: common

roles/common/tasks/post-tasks.yml

@@ -0,0 +1,6 @@
+---
+- name: install expected packages
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ common_expected_packages }}"

roles/common/tasks/pre-tasks.yml

@@ -0,0 +1,8 @@
+---
+- name: install requirements for some Ansible operations
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - aptitude
+    - python-apt

roles/common/tasks/secure-secure-shell.yml

@@ -0,0 +1,28 @@
+# Secure SSH Configuration
+# https://stribika.github.io/2015/01/04/secure-secure-shell.html
+---
+- name: check for ED25519 host key
+  stat: path=/etc/ssh/ssh_host_ed25519_key
+  register: f
+- fail: msg="No ED25519 host key found"
+  when: not f.stat.exists
+
+- name: check for RSA host key
+  stat: path=/etc/ssh/ssh_host_rsa_key
+  register: f
+- fail: msg="No RSA host key found"
+  when: not f.stat.exists
+
+- name: template sshd_config
+  template:
+    src: templates/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    backup: yes
+  register: sshd_config
+
+# reload sshd now in case the handlers don't run
+- name: reload sshd
+  service:
+    name: ssh
+    state: reloaded
+  when: sshd_config.changed

roles/common/tasks/unattended-upgrades.yml

@@ -0,0 +1,18 @@
+---
+- name: install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+    state: present
+
+- name: copy 10periodic
+  copy:
+    src: files/10periodic
+    dest: /etc/apt/apt.conf.d
+
+- name: template 50unattended-upgrades
+  template:
+    src: templates/50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+  notify:
+    - upgrade packages
+    - clean package cache

roles/common/tasks/user-sanity.yml

@@ -0,0 +1,25 @@
+---
+- name: purge vim-tiny
+  apt:
+    name: vim-tiny
+    state: absent
+    purge: yes
+
+- name: install user sanity packages
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ user_sanity_packages }}"
+
+- name: check for /etc/screenrc
+  stat: path=/etc/screenrc
+  register: f
+
+- name: disable screen startup message
+  lineinfile:
+    dest: /etc/screenrc
+    regexp: '^#(startup_message off)$'
+    line: '\1'
+    backrefs: yes
+    backup: yes
+  when: f.stat.exists