linux-postinstall.yml

---
- name: Linux post install procedures
  hosts: all
  gather_facts: true
  tasks:
    - name: Upgrade all packages
      ansible.builtin.yum:
        name: '*'
        state: latest

    - name: Make sure firewalld service unit is running
      ansible.builtin.systemd:
        state: started
        name: firewalld
        enabled: yes
    
    - name: Copy the sshd-banner file into place
      ansible.builtin.copy:
        src: files/sshd-banner
        dest: /etc/ssh/sshd-banner
        owner: root
        group: root
        mode: u+rw,g-wx,o-wx
       
    - name: Updating the sshd_config file to show the new banner
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#Banner none'
        line: 'Banner /etc/ssh/sshd-banner'
    
    - name: Disabling root login via ssh
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#PermitRootLogin yes'
        line: 'PermitRootLogin no'
            
    - name: Reloading sshd service 
      ansible.builtin.systemd:
        state: reloaded
        name: sshd.service
        enabled: yes
      
    - name: Copy the new /etc/motd into place
      ansible.builtin.copy:
        src: files/motd
        dest: /etc/motd
        owner: root
        group: root
        mode: u+rw,g-wx,o-wx
        
    - name: Copy the new /etc/issue into place
      ansible.builtin.copy:
        src: files/issue
        dest: /etc/issue
        owner: root
        group: root
        mode: u+rw,g-wx,o-wx

    - name: Get rid of the cockpit.socket message
      ansible.builtin.file:
        src: /dev/null
        dest: /etc/motd.d/cockpit
        owner: root
        group: root
        state: link
      when: "ansible_distribution_release != 'Maipo'"
    
    - name: Unconditionally reboot the machine with all defaults
      ansible.builtin.reboot: