.gitignore

@@ -2,5 +2,6 @@
 .vault-pass
 .vault.yml
 .passbolt.yml
+inventories/local
 venv
 inventories/local

inventories/group_vars/all.yml

@@ -12,7 +12,6 @@ main_dns_server: ns1.domain.local
 ldap_uri: ldap://ldap.domain.local
 ldap_base: dc=domain,dc=local
 dc_net: "10.0.0.0/16"
-resolv_domain: domain.local
 resolvers:
   - '8.8.8.8'
   - '8.8.4.4'

playbooks/debian.yml

@@ -1,13 +1,13 @@
 - name: Configure base Debian host
   hosts: all
   tasks:
-  - name: Configure virtual machine or host
+  - name: Configure virtual machine or host (not LXC)
     import_role:
       name: debian-host
     when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm'
-  - name: Configure base system
+  - name: Configure base system (all)
     import_role:
-      name: debian-base
+      name: debian-base 
   - name: Configure guest
     import_role:
       name: debian-guest
@@ -15,4 +15,4 @@
   - name: Configure virtual machine
     import_role:
       name: debian-qemu
-    when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm'
+    when: ansible_virtualization_type == 'kvm'

roles/debian-base/defaults/main.yaml

@@ -5,3 +5,55 @@ fail2ban:
   bantime: 600
   maxretry: 4
   ignore: "127.0.0.0/8 {{ dc_net }}"
+  logpath: "/var/log/auth.log"
+fail2ban_base_packages:
+  - fail2ban
+  - rsyslog
+vn_host:
+  url: http://apt.verdnatura.es/pool/main/v/vn-host
+  package: vn-host_2.0.2_all.deb
+  name: vn-host
+time_server_spain: ntp.roa.es
+nagios_packages:
+  - nagios-nrpe-server
+  - nagios-plugins-contrib
+  - monitoring-plugins-basic
+base_packages:
+  - htop
+  - psmisc
+  - bash-completion
+  - screen
+  - aptitude
+  - tree
+  - btop
+  - ncdu
+  - debconf-utils
+  - net-tools
+locales_present:
+  - en_US.UTF-8
+  - es_ES.UTF-8
+master_cert_content: |
+  -----BEGIN CERTIFICATE-----
+  MIID6zCCAtOgAwIBAgIUDwR1QkWYb73hAeNnphytR1tGE0swDQYJKoZIhvcNAQEL
+  BQAwgYQxCzAJBgNVBAYTAkVTMQ4wDAYDVQQIDAVTcGFpbjERMA8GA1UEBwwIVmFs
+  ZW5jaWExHjAcBgNVBAoMFVZlcmRuYXR1cmEgTGV2YW50ZSBTTDETMBEGA1UECwwK
+  TWFzdGVyIEtleTEdMBsGA1UEAwwUYmFjdWxhLnZlcmRuYXR1cmEuZXMwHhcNMjMx
+  MDAxMTc1MzQyWhcNMzMwOTI4MTc1MzQyWjCBhDELMAkGA1UEBhMCRVMxDjAMBgNV
+  BAgMBVNwYWluMREwDwYDVQQHDAhWYWxlbmNpYTEeMBwGA1UECgwVVmVyZG5hdHVy
+  YSBMZXZhbnRlIFNMMRMwEQYDVQQLDApNYXN0ZXIgS2V5MR0wGwYDVQQDDBRiYWN1
+  bGEudmVyZG5hdHVyYS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+  AJr2D9thvNVxmMyNO8wvFYZJeWLyc8RcNfjiKaY53RadMgXgsiAl4BlSNxc9ngqA
+  2z7ef4SK50pU9Pl6w1Ljua4lFnZqW9Ow6J9nT6wbdkkuilVoao+0wZBQCX19ToJg
+  LtgJ00KU2SH7KCi+mYdEY1oW/BsZy+QTJ6HYbOOjb/yISUp4crGE5h+vph1tyhC1
+  Vfj17wACmFjtZ52cQMWyQRT3kSrxTp4Y+xAsFUE9lTQaoBQ5XcRO5tmDnxEVKZIR
+  B5ZNatpY8em4CFUQ2B+9XPoXYY3KAzAh8U7fEqcZQ8x44LTVZjHvjXOlHwrcgYoh
+  P0Rbtv7uRbGBn9EviFW6lrUCAwEAAaNTMFEwHQYDVR0OBBYEFM1UYUBPXj82hm+W
+  UCXVSisi4bv6MB8GA1UdIwQYMBaAFM1UYUBPXj82hm+WUCXVSisi4bv6MA8GA1Ud
+  EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC2gpGcsT2v2OfdxMaL9oI+B
+  EqHPrNM4UblRCyLF21JCEhYg3Ow9lseO3ObMz/cOJGsMgrvipUgxUNDuS+DpyG5E
+  tKO6895t30TIjICm9udVTyNzC3SyyP/kojNqA9mU8QU+fRdale+ruAJ/A0nbmP/v
+  uETeqHg49PfH98ce2pMpIiIm+UyvLDjH6KMcnt7KlxtSMxAD9ihK19M7m0CKL3PL
+  iNu7ZG2Ke7ai4wkIKiUpugWK/f2bXNY36/HJeoN9cKrfVQzh6jsoplj5qc7GtzQK
+  vbLOVOOXArPis1naT1aW5s/At2NaNpA3a9HjauzZgfIiU+ekIWEccU0OyRGxCGA=
+  -----END CERTIFICATE-----
+vn_witness: false

roles/debian-base/files/set-timezone.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-echo 'tzdata tzdata/Areas select Europe' | debconf-set-selections
-echo 'tzdata tzdata/Zones/Europe select Madrid' | debconf-set-selections
-echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections
-rm /etc/timezone
-rm /etc/localtime
-dpkg-reconfigure -f noninteractive tzdata

roles/debian-base/handlers/main.yml

@@ -1,21 +1,26 @@
-- name: restart-timesyncd
-  service:
+- name: restart systemd-timesyncd
+  systemd:
     name: systemd-timesyncd
     state: restarted
-- name: restart-exim
-  service:
-    name: exim4
-    state: restarted
 - name: restart-ssh
-  service:
+  systemd:
     name: ssh
     state: restarted
-- name: restart-fail2ban
-  service:
+- name: restart fail2ban
+  systemd:
     name: fail2ban
     state: restarted
 - name: restart-nrpe
-  service:
+  systemd:
     name: nagios-nrpe-server
     state: restarted
-
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted
+- name: generate locales
+  command: /usr/sbin/locale-gen
+- name: reconfigure tzdata
+  command: dpkg-reconfigure -f noninteractive tzdata
+- name: update exim configuration
+  command: /usr/sbin/update-exim4.conf

roles/debian-base/tasks/bacula.yml

@@ -2,19 +2,49 @@
   apt:
     name: bacula-fd
     state: present
-- name: Load Bacula default passwords
+- name: Read content file in base64
   slurp:
     src: /etc/bacula/common_default_passwords
-  register: bacula_passwords
+  register: file_content
+- name: Going to text plane
+  set_fact:
+    file_content_decoded: "{{ file_content.content | b64decode }}"
+- name: Extracting passwords
+  set_fact:
+    passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}"
+- name: Initialize password dictionary
+  set_fact:
+    bacula_passwords: {}
+- name: Convert lines to individual variables generating a new dict
+  set_fact:
+    bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}"
+  loop: "{{ passwords }}"
+  when: "'FDPASSWD' in item or 'FDMPASSWD' in item"
 - name: Configure Bacula FD
   template:
     src: bacula-fd.conf
     dest: /etc/bacula/bacula-fd.conf
     owner: root
     group: bacula
-    mode: '0640'
+    mode: u=rw,g=r,o=
     backup: true
+  register: bacula_config
+- name: Configure master cert
+  copy:
+    content: "{{ master_cert_content }}"
+    dest: /etc/bacula/master-cert.pem
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+- name: Configure master cert
+  copy:
+    content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}"
+    dest: /etc/bacula/fd-cert.pem
+    owner: root
+    group: bacula
+    mode: u=rw,g=r,o=
 - name: Restart Bacula FD service
   service:
     name: bacula-fd
     state: restarted
+  when: bacula_config.changed

roles/debian-base/tasks/fail2ban.yml

@@ -1,15 +1,32 @@
-- name: Install fail2ban packages
+- name: Install fail2ban and rsyslog packages
   apt:
-    name: fail2ban
+    name: "{{ fail2ban_base_packages }}"
     state: present
-  loop:
-    - fail2ban
-    - rsyslog
+- name: Configure sshd_config settings
+  copy:
+    dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf
+    content: |
+      # Do not edit this file! Ansible will overwrite it.
+      
+      SyslogFacility AUTH
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: restart sshd
 - name: Configure fail2ban service
   template:
     src: jail.local
     dest: /etc/fail2ban/jail.local
     owner: root
     group: root
-    mode: '0644'
-  notify: restart-fail2ban
+    mode: u=rw,g=r,o=r
+  notify: restart fail2ban
+  register: jail
+- name: Ensure file for auth sshd custom log exists
+  file:
+    path: /var/log/auth.log
+    state: touch
+    owner: root
+    group: adm
+    mode: u=rw,g=r,o=
+  when: jail.changed

roles/debian-base/tasks/install.yml

@@ -1,10 +1,4 @@
 - name: Install base packages
   apt:
-    name: "{{ item }}"
+    name: "{{ base_packages }}"
     state: present
-  with_items:
-    - htop
-    - psmisc
-    - bash-completion
-    - screen
-    - aptitude

roles/debian-base/tasks/locale.yml

@@ -1,15 +1,6 @@
-- name: Enable locale languages
-  lineinfile:
-    dest: /etc/locale.gen
-    regexp: "{{item.regexp}}"
-    line: "{{item.line}}"
+- name: make sure locales in variable are generated
+  locale_gen:
+    name: "{{ item }}"
     state: present
-  with_items:
-    - regexp: "^# es_ES.UTF-8 UTF-8"
-      line: "es_ES.UTF-8 UTF-8"
-    - regexp: "^# en_US.UTF-8 UTF-8"
-      line: "en_US.UTF-8 UTF-8"
-- name: Generate locale
-  command: locale-gen
-- name: Update locale
-  command: update-locale LANG=en_US.UTF-8
+  with_items: "{{ locales_present }}"
+  notify: generate locales

roles/debian-base/tasks/main.yml

@@ -1,3 +1,11 @@
+- import_tasks: witness.yml
+  tags: witness
+- import_tasks: resolv.yml
+  tags: resolv
+- import_tasks: timesync.yml
+  tags: timesync
+- import_tasks: ssh.yml
+  tags: ssh
 - import_tasks: defuser.yml
   tags: defuser
 - import_tasks: install.yml
@@ -16,3 +24,9 @@
   tags: vim
 - import_tasks: nrpe.yml
   tags: nrpe
+- import_tasks: fail2ban.yml
+  tags: fail2ban
+- import_tasks: bacula.yml
+  tags: bacula
+- import_tasks: vn-repo.yml
+  tags: vn-repo

roles/debian-base/tasks/motd.yml

@@ -2,6 +2,6 @@
   copy:
     src: motd
     dest: /etc/update-motd.d/90-vn
-    mode: '755'
+    mode: u=rwx,g=rx,o=rx
     owner: root
     group: root

roles/debian-base/tasks/nrpe.yml

@@ -1,10 +1,8 @@
 - name: Install NRPE packages
   apt:
-    name: "{{ item }}"
+    name: "{{ nagios_packages }}"
     state: present
-  loop:
-    - nagios-nrpe-server
-    - nagios-plugins-contrib
+    install_recommends: no
 - name: Set NRPE generic configuration
   template:
     src: nrpe.cfg

roles/debian-base/tasks/profile.yml

@@ -2,6 +2,6 @@
   copy:
     src: profile.sh
     dest: /etc/profile.d/vn.sh
-    mode: '644'
+    mode: u=rw,g=r,o=r
     owner: root
     group: root

roles/debian-base/tasks/relayhost.yml

@@ -3,46 +3,27 @@
     name: exim4
     state: present
 - name: Prepare exim configuration
-  lineinfile:
-    dest: /etc/exim4/update-exim4.conf.conf
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
+  blockinfile:
+    path: /etc/exim4/update-exim4.conf.conf
+    marker_begin: '--- BEGIN VN ---'
+    marker_end: '--- END VN ---'
+    marker: "# {mark}"
+    block: |
+      dc_eximconfig_configtype='satellite'
+      dc_other_hostnames='{{ ansible_fqdn }}'
+      dc_local_interfaces='127.0.0.1'
+      dc_readhost='{{ ansible_fqdn }}'
+      dc_smarthost='{{ smtp_server }}'
+      dc_hide_mailname='true'
     state: present
-    mode: 0644
-  with_items:
-    - regexp: '^dc_eximconfig_configtype'
-      line: "dc_eximconfig_configtype='satellite'"
-    - regexp: '^dc_other_hostnames'
-      line: "dc_other_hostnames='{{ ansible_fqdn }}'"
-    - regexp: '^dc_local_interfaces'
-      line: "dc_local_interfaces='127.0.0.1'"
-    - regexp: '^dc_readhost'
-      line: "dc_readhost='{{ ansible_fqdn }}'"
-    - regexp: '^dc_relay_domains'
-      line: "dc_relay_domains=''"
-    - regexp: '^dc_minimaldns'
-      line: "dc_minimaldns='false'"
-    - regexp: '^dc_relay_nets'
-      line: "dc_relay_nets=''"
-    - regexp: '^dc_smarthost'
-      line: "dc_smarthost='{{ smtp_server }}'"
-    - regexp: '^CFILEMODE'
-      line: "CFILEMODE='644'"
-    - regexp: '^dc_use_split_config'
-      line: "dc_use_split_config='false'"
-    - regexp: '^dc_hide_mailname'
-      line: "dc_hide_mailname='true'"
-    - regexp: '^dc_mailname_in_oh'
-      line: "dc_mailname_in_oh='true'"
-    - regexp: '^dc_localdelivery'
-      line: "dc_localdelivery='mail_spool'"
-  notify: restart-exim
+    create: yes
+    mode: u=rw,g=r,o=r
+  notify: update exim configuration
   register: exim_config
-- name: Update exim configuration
-  command: update-exim4.conf
-  when: exim_config.changed
+- name: Force execution of handlers immediately
+  meta: flush_handlers
 - name: Sending mail to verify relay host configuration works
   shell: >
-    echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \
+    sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \
       | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}"
   when: exim_config.changed

roles/debian-base/tasks/resolv.yml

@@ -0,0 +1,22 @@
+- name: Check if DNS is already configured
+  stat:
+    path: /etc/resolv.conf
+  register: resolv_conf
+- name: Read /etc/resolv.conf
+  slurp:
+    path: /etc/resolv.conf
+  register: resolv_conf_content
+  when: resolv_conf.stat.exists
+- name: Check if DNS servers are already present
+  set_fact:
+    dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}"
+  when: resolv_conf.stat.exists
+- name: Apply resolv.conf template only if DNS is not configured
+  template:
+    src: templates/resolv.conf
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+    backup: true
+  when: not resolv_conf.stat.exists or not dns_configured

roles/debian-base/tasks/ssh.yml

@@ -0,0 +1,22 @@
+- name: Generate SSH key pairs
+  openssh_keypair:
+    path: "/etc/ssh/ssh_host_{{ item.type }}_key"
+    type: "{{ item.type }}"
+    force: yes
+  when: vn_witness
+  loop:
+    - { type: 'rsa' }
+    - { type: 'ecdsa' }
+    - { type: 'ed25519' }
+  notify: restart sshd
+- name: Configure sshd_config settings
+  copy:
+    dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf
+    content: |
+      # Do not edit this file! Ansible will overwrite it.
+
+      ListenAddress 0.0.0.0
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: restart sshd

roles/debian-base/tasks/timesync.yml

@@ -1,21 +1,23 @@
-- name: Configure /etc/systemd/timesyncd.conf
-  lineinfile:
-    path: /etc/systemd/timesyncd.conf
-    regexp: '^#NTP'
-    line: "NTP={{ time_server }}"
+- name: Ensure directory for timesyncd custom configuration exists
+  file:
+    path: /etc/systemd/timesyncd.conf.d/
+    state: directory
     owner: root
     group: root
-    mode: '0644'
-- name: Configure /etc/systemd/timesyncd.conf
-  lineinfile:
-    path: /etc/systemd/timesyncd.conf
-    regexp: '^#?FallbackNTP='
-    line: "FallbackNTP=ntp.roa.es"
+    mode: u=rwx,g=rx,o=rx
+- name: Configure NTP settings in /etc/systemd/timesyncd.conf.d/vn-ntp.conf
+  copy:
+    dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf
+    content: |
+      [Time]
+      NTP={{ time_server }}
+      FallbackNTP={{ time_server_spain }}
     owner: root
     group: root
-    mode: '0644'
+    mode: u=rw,g=r,o=r
   notify: restart systemd-timesyncd
-- name: Service should start on boot
+- name: Ensure systemd-timesyncd service is enabled and started
   service:
     name: systemd-timesyncd
     enabled: yes
+    state: started

roles/debian-base/tasks/tzdata.yml

@@ -1,2 +1,11 @@
-- name: Configure the time zone
-  script: set-timezone.sh
+- name: Configure debconf for tzdata
+  debconf:
+    name: tzdata
+    question: "{{ item.question }}"
+    value: "{{ item.value }}"
+    vtype: "string"
+  loop:
+    - { question: "tzdata/Areas", value: "Europe" }
+    - { question: "tzdata/Zones/Europe", value: "Madrid" }
+    - { question: "tzdata/Zones/Etc", value: "UTC" }
+  notify: reconfigure tzdata

roles/debian-base/tasks/vim.yml

@@ -6,6 +6,6 @@
   copy:
     src: vimrc.local
     dest: /etc/vim/
-    mode: '644'
+    mode: u=rw,g=r,o=r
     owner: root
     group: root

roles/debian-base/tasks/vn-repo.yml

@@ -1,12 +1,3 @@
-- name: Download vn-host Debian package
-  get_url:
-    url: "{{ vn_host.url }}/{{ vn_host.package }}"
-    dest: "/tmp/{{ vn_host.package }}"
-    mode: '0644'
 - name: Install package
   apt:
-    deb: "/tmp/{{ vn_host.package }}"
-- name: Delete package
-  file:
-    path: "/tmp/{{ vn_host.package }}"
-    state: absent
+    deb: "{{ vn_host.url }}/{{ vn_host.package }}"

roles/debian-base/tasks/witness.yml

@@ -0,0 +1,12 @@
+- name: Check if witness have been generated
+  stat:
+    path: /etc/vn.witness
+  register: keys_generated_marker
+- name: Generate variable if not exists
+  set_fact:
+    vn_witness: "{{ not keys_generated_marker.stat.exists }}"
+- name: Create marker file to indicate vn happends
+  file:
+    path: /etc/vn.witness
+    state: touch
+  when: vn_witness

roles/debian-base/templates/bacula-fd.conf

@@ -1,10 +1,10 @@
 Director {
   Name = bacula-dir
-  Password = "{{ FDPASSWD }}"
+  Password = "{{ bacula_passwords.fdpasswd }}"
 }
 Director {
   Name = bacula-mon
-  Password = "{{ FDMPASSWD }}"
+  Password = "{{ bacula_passwords.fdmpasswd }}"
   Monitor = yes
 }
 FileDaemon {

roles/debian-base/templates/jail.local

@@ -14,7 +14,9 @@ action    = %(action_)s
 #+++++++++++++++ Jails
 
 [sshd]
+ignoreip  = 127.0.0.1/8
 enabled   = true
 port      = 0:65535
 filter    = sshd
-logpath   = %(sshd_log)s
+logpath   = {{ fail2ban.logpath }}
+action    = %(action_mwl)s

roles/debian-base/templates/nrpe.cfg

@@ -1,4 +1,5 @@
 allowed_hosts={{ nagios_server }}
+server_address={{ ansible_default_ipv4.address }}
 
 command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /
 command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var

roles/debian-base/templates/resolv.conf

@@ -1,5 +1,5 @@
-domain {{ resolv_domain }}
-search {{ resolv_domain }}
+domain {{ host_domain }}
+search {{ host_domain }}
 {% if resolvers is defined %}
 {% for resolver in resolvers %}
 nameserver {{resolver}}

roles/debian-base/vars/main.yml

@@ -1,3 +0,0 @@
-vn_host:
-  url: http://apt.verdnatura.es/pool/main/v/vn-host
-  package: vn-host_2.0.2_all.deb

roles/debian-guest/handlers/main.yml

@@ -2,5 +2,3 @@
   service:
     name: nslcd
     state: restarted
-- name: pam-update-ldap
-  shell: pam-auth-update --enable ldap

roles/debian-guest/tasks/auth.yml

@@ -11,7 +11,7 @@
     mode: '0640'
   notify:
     - restart-nslcd
-    - pam-update-ldap
+  register: nslcd
 - name: Configure nsswitch to use NSLCD
   lineinfile:
     dest: /etc/nsswitch.conf

roles/debian-host/handlers/main.yml

@@ -1,4 +1,4 @@
 - name: restart-sysctl
-  service:
+  systemd:
     name: systemd-sysctl
-    state: restarted
+    state: restarted

roles/debian-host/tasks/apparmor.yml

@@ -1,5 +1,12 @@
-- name: Disable AppArmor
-  service:
+- name: Stop AppArmor
+  systemd:
     name: apparmor
     state: stopped
+- name: Disable AppArmor service
+  systemd:
+    name: apparmor
     enabled: no
+- name: Mask AppArmor service
+  systemd:
+    name: apparmor
+    masked: yes

roles/debian-host/tasks/hostname.yml

@@ -2,11 +2,8 @@
   hostname:
     name: "{{ inventory_hostname_short }}"
     use: debian
-- name: Configure hosts file
-  blockinfile:
+- name: Populating hosts file with hostname
+  lineinfile:
     path: /etc/hosts
-    marker_begin: '--- BEGIN VN ---'
-    marker_end: '--- END VN ---'
-    marker: "# {mark}"
-    block: |
-      {{ ansible_default_ipv4.address }} {{ hostname_fqdn }} {{ inventory_hostname_short }}
+    regexp: '^127\.0\.1\.1'
+    line: '127.0.1.1       {{ hostname_fqdn }} {{ inventory_hostname_short }}'

roles/debian-host/tasks/resolv.yml

@@ -1,9 +0,0 @@
-- name: Replace /etc/resolv.conf
-  template:
-    src: resolv.conf
-    dest: /etc/
-    owner: root
-    group: root
-    mode: '0644'
-    backup: true
-  when: resolv_enabled

roles/debian-host/tasks/sysctl.yml

@@ -1,4 +1,4 @@
-- name: Set systctl configuration
+- name: Set systctl custom vn configuration
   copy:
     src: sysctl/
     dest: /etc/sysctl.d/

roles/debian-once/tasks/main.yml

@@ -1,4 +1,2 @@
-- import_tasks: ssh.yml
-  tags: ssh
 - import_tasks: root.yml
   tags: root

roles/debian-once/tasks/ssh.yml

@@ -1,10 +0,0 @@
-- name: Delete old host SSH keys
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_items:
-    - /etc/ssh/ssh_host_ecdsa_key
-    - /etc/ssh/ssh_host_ed25519_key
-    - /etc/ssh/ssh_host_rsa_key
-- name: Regenerate host SSH keys
-  command: dpkg-reconfigure openssh-server