Trying to understand this ugh

linux/compliance.yaml

@@ -2,6 +2,16 @@
 ## Checks/deploys a Linux system to be managed with Ansible.
 
 - hosts: all
+  gather_facts: yes
   tasks:
+    - name: "Set become method to doas (Alpine)"
+      vars:
+        ansible_become_method: doas
+      when: "ansible_distribution == 'Alpine'"
+    
+    - name: "Set become to true"
+      vars:
+        ansible_become: true
+      
     - name: "Include OS specific tasks"
       ansible.builtin.include_tasks: "compliance_{{ ansible_distribution }}.yaml"

linux/compliance_Alpine.yaml

@@ -1,126 +1,111 @@
 ---
 ## Checks/deploys a Linux system to be managed with Ansible.
 
-gather_facts: yes
+- name: Gather all system groups
-become: yes
+  ansible.builtin.getent:
-become_method: doas
+    database: group
-tasks:
+    split: ':'
-  # Gather system groups
+# Add doas package
-  - name: Gather all system groups
+- name: Install doas (for Alpine systems).
-    ansible.builtin.getent:
+  ansible.builtin.package:
-      database: group
+    name:
-      split: ':'
+      - doas
-
+  state: present
-  # Add doas package
+# User account (ansible) configuration
-  - name: Install doas (for Alpine systems).
+- name: Add deployment user.
-    ansible.builtin.package:
+  user:
-      name:
+    name: ansible
-        - doas
+    state: present
-      state: present
+- name: Add deployment user to wheel group.
-
+  user:
-  # User account (ansible) configuration
+    name: ansible
-  - name: Add deployment user.
+    groups: wheel
-    user:
+    append: yes
-      name: ansible
+  when: "'wheel' in ansible_facts.getent_group"
-      state: present
+# Ansible user SSH pub key
-  - name: Add deployment user to wheel group.
+# This is a really stupid way to do it, but alas.
-    user:
+# This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
-      name: ansible
+- name: Create ssh directory for deployment user.
-      groups: wheel
+  file:
-      append: yes
+    path: /home/ansible/.ssh
-    when: "'wheel' in ansible_facts.getent_group"
+    state: directory
-
+    owner: ansible
-  # Ansible user SSH pub key
+    group: ansible
-  # This is a really stupid way to do it, but alas.
+- name: Add deployment user's SSH key.
-  # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
+  copy:
-  - name: Create ssh directory for deployment user.
+    content: "{{ ansiblesvc_key }}"
-    file:
+    dest: /home/ansible/.ssh/authorized_keys
-      path: /home/ansible/.ssh
+    owner: ansible
-      state: directory
+    group: ansible
-      owner: ansible
+# Add required packages because Debian is lame
-      group: ansible
+- name: Install standard packages if not already installed.
-  - name: Add deployment user's SSH key.
+  # Looking at you LXCs. >.>
-    copy:
+  ansible.builtin.package:
-      content: "{{ ansiblesvc_key }}"
+    name:
-      dest: /home/ansible/.ssh/authorized_keys
+      - curl
-      owner: ansible
+      - net-tools
-      group: ansible
+      - wget
-
+      - util-linux
-  # Add required packages because Debian is lame
+      - python3
-  - name: Install standard packages if not already installed.
+      - iftop
-    # Looking at you LXCs. >.>
+    state: present
-    ansible.builtin.package:
+# Give ansible doas rights with no password required.
-      name:
+- name: Add doas rights with no password for deployment user (Alpine only)
-        - curl
+  lineinfile:
-        - net-tools
+    dest: /etc/doas.conf
-        - wget
+    regexp: '^ansible'
-        - util-linux
+    line: 'permit keepenv nopass :ansible'
-        - python3
+    state: present
-        - iftop
+    validate: 'doas -C %s'
-      state: present
+# User account (nhadmin) configuration, for sysadmin use
-    
+- name: Create user nhadmin.
-  # Give ansible doas rights with no password required.
+  user:
-  - name: Add doas rights with no password for deployment user (Alpine only)
+    name: nhadmin
-    lineinfile:
+    state: present
-      dest: /etc/doas.conf
+    password: "{{ nhadmin_password | password_hash('sha512') }}"
-      regexp: '^ansible'
+    shell: /bin/bash
-      line: 'permit keepenv nopass :ansible'
+- name: Add nhadmin to wheel group.
-      state: present
+  user:
-      validate: 'doas -C %s'
+    name: nhadmin
-
+    groups: wheel
-  # User account (nhadmin) configuration, for sysadmin use
+    append: yes
-  - name: Create user nhadmin.
+  when: "'wheel' in ansible_facts.getent_group"
-    user:
+# Sysadmin user SSH pub key
-      name: nhadmin
+# This is a really stupid way to do it, but alas.
-      state: present
+# This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
-      password: "{{ nhadmin_password | password_hash('sha512') }}"
+- name: Create ssh directory for nhadmin.
-      shell: /bin/bash
+  file:
-
+    path: /home/nhadmin/.ssh
-  - name: Add nhadmin to wheel group.
+    state: directory
-    user:
+    owner: nhadmin
-      name: nhadmin
+    group: nhadmin
-      groups: wheel
+- name: Add nhadmin user's SSH key.
-      append: yes
+  copy:
-    when: "'wheel' in ansible_facts.getent_group"
+    content: "{{ nhadmin_key }}"
-
+    dest: /home/nhadmin/.ssh/authorized_keys
-  # Sysadmin user SSH pub key
+    owner: nhadmin
-  # This is a really stupid way to do it, but alas.
+    group: nhadmin
-  # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
+# SSH config updating
-  - name: Create ssh directory for nhadmin.
+- name: Update SSH configuration to disallow root login and disable password authentication.
-    file:
+  lineinfile:
-      path: /home/nhadmin/.ssh
+    dest: /etc/ssh/sshd_config
-      state: directory
+    regexp: "{{ item.regexp }}"
-      owner: nhadmin
+    line: "{{ item.line }}"
-      group: nhadmin
+    state: present
-  - name: Add nhadmin user's SSH key.
+    validate: 'sshd -t -f %s'
-    copy:
+  with_items:
-      content: "{{ nhadmin_key }}"
+    - regexp: "^PermitRootLogin"
-      dest: /home/nhadmin/.ssh/authorized_keys
+      line: "PermitRootLogin no"
-      owner: nhadmin
+    - regexp: "^PasswordAuthentication"
-      group: nhadmin
+      line: "PasswordAuthentication no"
-
+    - regexp: "^PubkeyAuthentication"
-  # SSH config updating
+      line: "PubkeyAuthentication yes"
-  - name: Update SSH configuration to disallow root login and disable password authentication.
+- name: Restart SSH service.
-    lineinfile:
+  service:
-      dest: /etc/ssh/sshd_config
+    name: sshd
-      regexp: "{{ item.regexp }}"
+    state: restarted
-      line: "{{ item.line }}"
+# Delete our network ansible key from the root user.
-      state: present
+- name: Delete our network ansible key (and other keys) from the root user.
-      validate: 'sshd -t -f %s'
+  file:
-    with_items:
+    path: /root/.ssh/authorized_keys
-      - regexp: "^PermitRootLogin"
+    state: absent
-        line: "PermitRootLogin no"
-      - regexp: "^PasswordAuthentication"
-        line: "PasswordAuthentication no"
-      - regexp: "^PubkeyAuthentication"
-        line: "PubkeyAuthentication yes"
-  - name: Restart SSH service.
-    service:
-      name: sshd
-      state: restarted
-
-  # Delete our network ansible key from the root user.
-  - name: Delete our network ansible key (and other keys) from the root user.
-    file:
-      path: /root/.ssh/authorized_keys
-      state: absent