infra/roles/bootstrap/tasks/main.yml

---
- name: Install Python without using Ansible modules
  raw: >
       bash -c "test -e /usr/bin/python3 || 
       (test -e /usr/bin/yum && yum install -y python3) || 
       (apt install -y python3 python-apt) || 
       grep -i LibreELEC /etc/os-release"
  changed_when: false

- name: Gather facts now that Python is installed
  setup:

- name: Install sudo and lsb (RPM)
  package:
    name:
      - sudo
      - "{% if ansible_distribution_major_version != '9' %}redhat-lsb-core{% else %}python3-libselinux{% endif %}"
    state: present
  when:
    - ansible_distribution == 'CentOS' or ansible_distribution == 'Fedora'

- name: Install sudo and lsb (DEB)
  package:
    name:
      - sudo
      - lsb-release
    state: present
  when:
    - ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: Install SELinux Python Modules (Fedora)
  package:
    name:
      - python3-libselinux
    state: present
  when:
    - ansible_distribution == 'Fedora'

- name: Gather facts again now that lsb is installed
  setup:

- name: Creating ansible user
  user:
    name: ansible
    state: present
    shell: /bin/bash
    uid: "{{ ansible_uid }}"
    create_home: yes
  when:
    - ansible_os_family != 'LibreELEC'

- name: Adding ansible as a sudoer
  copy:
    src: 10_ansible
    dest: /etc/sudoers.d/10_ansible
    owner: root
    group: root
    mode: '0640'
  when:
    - ansible_os_family != 'LibreELEC'

- import_role:
    name: common

- name: Ensure only key-based SSH logins are allowed
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PasswordAuthentication'
    line: 'PasswordAuthentication no'
    state: present
  notify:
    - Restart sshd
  when:
    - ansible_os_family != 'LibreELEC' # / is mounted RO in LibreELEC