WIP: merge user & apt branches

TODO: improve APT & user tasks to run on restricted environment
like when sudo is limited

tasks/user_cfg/apt.yml

+---
+- remote_user: root
+
+  tasks:
+    - name: Remove snap packages
+      when: snap_uninstall_pkg is defined
+      community.general.snap:
+        name: "{{ snap_uninstall_pkg }}"
+        state: absent
+
+    - name: SIGNAL | add key to keyring
+      when: inventory_hostname in groups.station
+      ansible.builtin.apt_key:
+        url: https://updates.signal.org/desktop/apt/keys.asc
+        keyring: /usr/share/keyrings/signal-desktop-keyring.gpg
+        state: present
+
+    - name: SIGNAL | add apt repository
+      when: inventory_hostname in groups.station
+      ansible.builtin.apt_repository:
+        filename: signal-desktop
+        repo: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
+        state: present

tasks/apt.yml → tasks/user_cfg/apt_restriced.yml

----
-- hosts: "{{ host_list }}"
-  remote_user: root
+- remote_user: "{{ my_user }}"
+  become_user: root
+  become_method: sudo
 
   tasks:
-
     - name: INCLUDE_VARS | base
       ansible.builtin.include_vars: "main.yml"
 
@@ -18,12 +17,6 @@
       when: "'mate' in group_names"
       ansible.builtin.include_vars: "Mate.yml"
 
-    - name: Remove snap packages
-      when: snap_uninstall_pkg is defined
-      community.general.snap:
-        name: "{{ snap_uninstall_pkg }}"
-        state: absent
-
     - name: APT | install base & os packages
       ansible.builtin.apt:
         cache_valid_time: 3600
@@ -32,20 +25,6 @@
         state: present
         update_cache: true
 
-    - name: SIGNAL | add key to keyring
-      when: inventory_hostname in groups.station
-      ansible.builtin.apt_key:
-        url: https://updates.signal.org/desktop/apt/keys.asc
-        keyring: /usr/share/keyrings/signal-desktop-keyring.gpg
-        state: present
-
-    - name: SIGNAL | add apt repository
-      when: inventory_hostname in groups.station
-      ansible.builtin.apt_repository:
-        filename: signal-desktop
-        repo: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
-        state: present
-
     - name: APT | install workstation packages
       when: inventory_hostname in groups.station
       ansible.builtin.apt:

tasks/user_cfg/main.yml

 ---
 - hosts: "{{ host_list }}"
-  become_user: "{{ my_user }}"
-  become_method: su
-  remote_user: root
 
   tasks:
+  - name: IMPORT_TASKS | APT_RESTRICTED
+    ansible.builtin.import_tasks: apt_restricted.yml
+
+  - name: IMPORT_TASKS | APT
+    ansible.builtin.import_tasks: apt.yml
+    when: inventory_hostname not in groups.restricted
 
   - name: "IMPORT_TASKS | root"
+    when: inventory_hostname not in groups.restricted
     ansible.builtin.import_tasks: root.yml
 
   - name: "IMPORT_TASKS | {{ my_user }}"

tasks/user_cfg/my_user.yml

 ---
 
 - name: MY USER | dotfiles
-  become: yes
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/home/{{ my_user }}/.{{ item | basename }}"
     mode: 0640
     owner: "{{ my_user }}"
-    group: "{{ my_user }}"
   with_fileglob:
     files/dotfiles/*
   loop_control:
     label: "{{ item | basename }}"
 
 - name: MY USER | ssh config
-  become: yes
   ansible.builtin.template:
     dest: "/home/{{ my_user }}/.ssh/config"
     src: templates/ssh_config.j2
     mode: 0640
 
+- name: "MY USER  | Local public key is present for {{ my_user }}"
+  ansible.builtin.authorized_key:
+    comment: "Managed by Ansible"
+    key: https://gitlab.com/free_zed.keys
+    state: present
+    user: "{{ my_user }}"
+
 - name: MY USER | git directory presence
-  become: yes
   when: inventory_hostname in groups.station
   ansible.builtin.file:
-    group: "{{ my_user }}"
     mode: '0750'
     owner: "{{ my_user }}"
     path: "/home/{{ my_user }}/git"
@@ -35,7 +37,6 @@
   ansible.builtin.include_vars: "vars/git.yml"
 
 - name: MY USER | clone git repos
-  become: yes
   when: inventory_hostname in groups.station
   ansible.builtin.git:
     dest: "/home/{{ my_user }}/git/{{ item.local_name }}"
@@ -48,21 +49,17 @@
     label: "{{ item.local_name }}"
 
 - name: MY USER | osm cache dir presence
-  become: yes
   when: inventory_hostname in groups.station
   ansible.builtin.file:
-    group: "{{ my_user }}"
     mode: '0750'
     owner: "{{ my_user }}"
     path: "/home/{{ my_user }}/.osm-tiles/"
     state: directory
 
 - name: MY USER | gps prune config
-  become: yes
   when: inventory_hostname in groups.station
   ansible.builtin.template:
     src: templates/pruneconfig.j2
     dest: "/home/{{ my_user }}/.pruneconfig"
     owner: "{{ my_user }}"
-    group: "{{ my_user }}"
     mode: '0640'

tasks/user_cfg/root.yml

 ---
+- remote_user: root
 
-- name: ROOT | dotfiles
-  become: no
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "/root/.{{ item | basename }}"
-    mode: 0640
-    owner: root
-    group: root
-  with_fileglob:
-    files/dotfiles/*
-  loop_control:
-    label: "{{ item | basename }}"
+  tasks:
+  -  name: ROOT | dotfiles
+     ansible.builtin.copy:
+       src: "{{ item }}"
+       dest: "/root/.{{ item | basename }}"
+       mode: 0640
+       owner: root
+       group: root
+     with_fileglob:
+       files/dotfiles/*
+     loop_control:
+       label: "{{ item | basename }}"
 
-- name: ROOT | set zsh for shell
-  become: no
-  ansible.builtin.user:
-    name: root
-    shell: /bin/zsh
-    state: present
+-  - name: ROOT | set zsh for shell
+     ansible.builtin.user:
+       name: root
+       shell: /bin/zsh
+       state: present
+
+    - name: "ROOT | Local public key is present for root"
+      ansible.builtin.authorized_key:
+        comment: "Managed by Ansible"
+        key: https://gitlab.com/free_zed.keys
+        state: present
+        user: root