Bootstrapping with Ansible

bootstrap.yaml

- hosts: all
  vars_files:
    - vault.yaml
  become: "{{ ansible_ssh_user is undefined or ansible_user == ansible_ssh_user | ternary('yes', 'no') }}"
  become_method: su
  tasks:
    - group:
        name: ansible
        gid: 1000
        state: present
    - user:
        name: ansible
        uid: 1000
        group: ansible
        groups: cdrom,floppy,audio,dip,video,plugdev,netdev
        password: "{{ ansible_password_crypted }}"
        shell: /bin/bash
        state: present
    - apt:
        update_cache: yes
        name:
          - curl
          - sudo
        state: present
    - copy:
        content: "ansible	ALL = (ALL) NOPASSWD:ALL"
        dest: /etc/sudoers.d/ansible
    - ansible.posix.authorized_key:
        user: ansible
        key: https://github.com/iamwillbar.keys
        exclusive: yes
        state: present
    - copy:
        content: |
          PermitRootLogin no
          PasswordAuthentication no
          ChallengeResponseAuthentication no
          AcceptEnv LANG LC_*
          Subsystem sftp /usr/lib/openssh/sftp-server
        dest: /etc/ssh/sshd_config
      register: sshd_config
    - service:
        name: sshd
        enabled: yes
        state: started
    - service:
        name: sshd
        state: restarted
      when: sshd_config.changed

inventory

[onprem_vm]
host1.internal.domain
host2.internal.domain
host3.internal.domain

[cloud_vm]
host4.external.domain
host5.external.domain
host6.external.domain

[all:vars]
ansible_user=ansible
ansible_python_interpreter=/usr/bin/python3

vault.yaml

ansible_password_crypted: $6$YZlrM35Vyi.L6PKX$7u8dHLR82O4VSObPtjJzmA4cqUtmZGncyhAPjNze9LdwqXcax00Fe3FhQY4HqLXadl/XMDkUIfE8dMt8U.pOY0