algo/roles/common/tasks/ubuntu.yml

---
- name: Gather facts
  setup:

- name: Cloud only tasks
  block:
    - name: Install software updates
      apt:
        update_cache: true
        install_recommends: true
        upgrade: dist
      register: result
      until: result is succeeded
      retries: 30
      delay: 10

    - name: Check if reboot is required
      shell: >
        if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
      args:
        executable: /bin/bash
      register: reboot_required

    - name: Reboot
      shell: sleep 2 && shutdown -r now "Ansible updates triggered"
      async: 1
      poll: 0
      when: reboot_required is defined and reboot_required.stdout == 'required'
      ignore_errors: true

    - name: Wait until the server becomes ready...
      wait_for_connection:
        delay: 20
        timeout: 320
      when: reboot_required is defined and reboot_required.stdout == 'required'
      become: false
  when: algo_provider != "local"

- name: Include unatteded upgrades configuration
  import_tasks: unattended-upgrades.yml

- name: Disable MOTD on login and SSHD
  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
  with_items:
    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }

- name: Loopback for services configured
  template:
    src: 10-algo-lo100.network.j2
    dest: /etc/systemd/network/10-algo-lo100.network
  notify:
    - restart systemd-networkd

- name: systemd services enabled and started
  systemd:
    name: "{{ item }}"
    state: started
    enabled: true
    daemon_reload: true
  with_items:
    - systemd-networkd
    - systemd-resolved

- meta: flush_handlers

- name: Check apparmor support
  command: apparmor_status
  ignore_errors: yes
  changed_when: false
  register: apparmor_status

- name: Set fact if apparmor enabled
  set_fact:
    apparmor_enabled: true
  when: '"profiles are in enforce mode" in apparmor_status.stdout'

- name: Gather additional facts
  import_tasks: facts.yml

- name: Set OS specific facts
  set_fact:
    tools:
      - git
      - screen
      - apparmor-utils
      - uuid-runtime
      - coreutils
      - iptables-persistent
      - cgroup-tools
      - openssl
      - gnupg2
    sysctl:
      - item: net.ipv4.ip_forward
        value: 1
      - item: net.ipv4.conf.all.forwarding
        value: 1
      - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
        value: 1

- name: Install tools
  apt:
    name: "{{ tools|default([]) }}"
    state: present
    update_cache: true

- name: Install headers
  apt:
    name:
      - linux-headers-generic
      - "linux-headers-{{ ansible_kernel }}"
    state: present
  when: install_headers

- include_tasks: iptables.yml
  tags: iptables