rollout/roles/base_setup/tasks/main.yml

---
# tasks file for roles/base_setup
- name: Update package cache
  apt:
    update_cache: yes
  when: ansible_os_family == 'Debian'

- name: Install basic packages
  package:
    name:
      - git
      - vim
      - tmux
      - python3
      - python3-pip
      - python3-venv
      - curl
      - wget
      - build-essential
      - rsync
      - bash-completion
      - apt-transport-https
      - ca-certificates
      - gnupg
    state: present

- name: Create user with or without password
  block:
    - name: Generate random password
      command: openssl rand -base64 32
      register: random_password
      changed_when: false
      when: generate_user_password | bool

    - name: Set password fact
      set_fact:
        generated_password: "{{ random_password.stdout }}"
      when: generate_user_password | bool

    - name: Create user with password
      user:
        name: "{{ base_username }}"
        password: "{{ random_password.stdout | password_hash('sha512') }}"
        groups: sudo
        shell: /bin/bash
      when: generate_user_password | bool

    - name: Create user without password
      user:
        name: "{{ base_username }}"
        groups: sudo
        shell: /bin/bash
      when: not generate_user_password | bool

    - name: Display generated password
      debug:
        msg: "Generated password for {{ base_username }} on {{ inventory_hostname }}: {{ random_password.stdout }}"
      when: generate_user_password | bool

  always:
    - name: Ensure user is in sudo group
      user:
        name: "{{ base_username }}"
        groups: sudo
        append: yes

- name: Set up authorized key for user
  authorized_key:
    user: "{{ base_username }}"
    key: "{{ lookup('file', base_ssh_keyfile) }}"

- name: Set timezone
  timezone:
    name: "{{ base_timezone }}"