--- - name: Ensure base packages ansible.builtin.package: name: - apt-transport-https - ca-certificates - curl - git - vim - ufw - python3 - python3-venv state: present update_cache: true - name: Harden SSH ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/10-hardening.conf owner: root group: root mode: '0644' content: | PasswordAuthentication no PermitRootLogin no PubkeyAuthentication yes - name: Restart sshd ansible.builtin.service: name: ssh state: restarted - name: Configure UFW ansible.builtin.ufw: state: enabled policy: deny direction: incoming - name: Allow SSH in UFW ansible.builtin.ufw: rule: allow name: OpenSSH - name: Set timezone community.general.timezone: name: "{{ timezone | default('UTC') }}"