ansible-playbooks/playbooks/bootstrap.yml

---
# Bootstrap a fresh host: create the admin user with sudo and SSH access.
# Run this before any other playbook, when only root access is available:
#
#   ansible-playbook playbooks/bootstrap.yml -l somehost
#
# After this, run other playbooks normally.

- name: Bootstrap admin user
  hosts: "{{ target | default('all') }}"
  gather_facts: false
  vars:
    ansible_user: root
    ansible_become: false
    # bootstrap_user: jambon
    # bootstrap_ssh_public_key: "ssh-ed25519 AAAA..."
  tasks:
    - name: Detect OS and install python3 + sudo
      ansible.builtin.raw: |
        if command -v pacman > /dev/null 2>&1; then
          pacman -Sy --noconfirm python sudo
        elif command -v apt-get > /dev/null 2>&1; then
          apt-get update -qq && apt-get install -y python3 sudo
        else
          echo "Unsupported OS" && exit 1
        fi        
      changed_when: true

    - name: Gather facts
      ansible.builtin.setup:

    - name: Create admin user
      ansible.builtin.user:
        name: "{{ bootstrap_user }}"
        groups: "{{ 'wheel' if ansible_facts['os_family'] == 'Archlinux' else 'sudo' }}"
        append: true
        shell: /bin/bash
        create_home: true
        state: present

    - name: Allow sudo group to use sudo (Debian)
      ansible.builtin.copy:
        content: "%sudo ALL=(ALL:ALL) ALL\n"
        dest: /etc/sudoers.d/sudo
        owner: root
        group: root
        mode: "0440"
        validate: visudo -cf %s
      when: ansible_facts['os_family'] == 'Debian'

    - name: Allow wheel group to use sudo (Arch)
      ansible.builtin.copy:
        content: "%wheel ALL=(ALL:ALL) ALL\n"
        dest: /etc/sudoers.d/wheel
        owner: root
        group: root
        mode: "0440"
        validate: visudo -cf %s
      when: ansible_facts['os_family'] == 'Archlinux'

    - name: Create .ssh directory
      ansible.builtin.file:
        path: "/home/{{ bootstrap_user }}/.ssh"
        state: directory
        owner: "{{ bootstrap_user }}"
        group: "{{ bootstrap_user }}"
        mode: "0700"

    - name: Add SSH authorized key
      ansible.posix.authorized_key:
        user: "{{ bootstrap_user }}"
        key: "{{ bootstrap_ssh_public_key | default(lookup('file', '~/.ssh/id_ed25519.pub')) }}"
        state: present