Created a role for initial lockdown of recent VPS, and started role for basic server configuration

.ansible/roles/lockdown/tasks/deshell.yml

@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: MIT-0
+---
+# tasks file for lockdown
+- name: Disable shell for root user
+  when: ansible_facts["user_id"] != "root"
+  become: true
+  ansible.builtin.user:
+    name: root
+    shell: /sbin/nologin
+  tags:
+    - deshell_root
+  register: root_shell_disabled

.ansible/roles/lockdown/tasks/main.yml

@@ -0,0 +1,160 @@
+# SPDX-License-Identifier: MIT-0
+---
+# tasks file for lockdown
+# @NOTE: assumes one logged in to SSH server as root to begin with, hence no need for privilege escalation
+- name: Create users
+  when: ansible_facts["user_id"] == "root"
+  block:
+    - name: Create sys-admin user
+      ansible.builtin.user:
+        name: "{{ create_users[0].username }}"
+        uid: 1000
+        password: "{{ create_users[0].password }}"
+        append: yes
+        groups:
+          - sudo
+        shell: /bin/bash
+        generate_ssh_key: yes
+        password_expire_min: 93
+        password_expire_max: 186
+        password_expire_warn: 45
+        comment: sysadmin
+        # ssh_key_passphrase: "{{ item.password }}"
+        state: present
+      tags:
+        - default
+        - administrative_user
+      register: created_admin
+    - name: Create new user
+      ansible.builtin.user:
+        name: "{{ item.username }}"
+        uid: 1000
+        password: "{{ item.password }}"
+        append: yes
+        groups:
+          - sudo
+        shell: /bin/bash
+        generate_ssh_key: yes
+        password_expire_min: 93
+        password_expire_max: 186
+        password_expire_warn: 45
+        comment: administrator
+        # ssh_key_passphrase: "{{ item.password }}"
+        state: present
+      loop: "{{ create_users[1:] }}"
+      tags:
+        - other_users
+      register: created_user
+- name: Specify authorized SSH keys for users based on local public keys
+  when: not files_mode and ansible_facts["user_id"] == "root"
+  block:
+    - name: Acquire list of SSH public keys for sys-admin user
+      ansible.builtin.find:
+        paths: "{{ lookup('env', 'HOME') }}/.ssh"
+        patterns:
+          - '{{ ssh_pubkey_filename_pattern }}'
+        use_regex: yes
+        recurse: no
+      tags:
+        - default
+        - administrative_user
+        - admin_ssh
+      register: ssh_public_keys
+    - name: Register SSH public keys as sys-admin user's authorized keys
+      ansible.builtin.lineinfile:
+        path: "{{ created_admin.home }}/.ssh/authorized_keys"
+        line: "{{ lookup('ansible.builtin.file', item) }}"
+        owner: "{{ created_admin.name }}"
+        group: "{{ created_admin.name }}"
+        mode: "0600"
+        create: yes
+        insertafter: ~
+        state: present
+      tags:
+        - default
+        - administrative_user
+        - admin_ssh
+      loop: "{{ ssh_public_keys.files }}"
+    - name: Register SSH puplic keys as other users' authorized keys
+      ansible.builtin.copy:
+        src: "ssh/{{ item.name }}/authorized_keys"
+        dest: "{{ item.home }}/.ssh/authorized_keys"
+        force: yes
+        backup: yes
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        mode: "0600"
+      tags:
+        - other_users
+        - others_ssh
+      loop: "{{ created_user }}"
+      register: authorized_ssh_pubkeys
+- name: Specify authorized SSH keys for users
+  when: files_mode and ansible_facts["user_id"] == "root"
+  block:
+    - name: Specify authorized keys file for sys-admin user
+      ansible.builtin.copy:
+        src: ssh/authorized_keys
+        dest: "{{ created_admin.home }}/.ssh/authorized_keys"
+        force: yes
+        backup: yes
+        owner: "{{ created_admin.name }}"
+        group: "{{ created_admin.name }}"
+        mode: "0600"
+      tags:
+        - default
+        - administrative_user
+        - admin_ssh
+      register: authorized_admin_ssh_pubkeys
+    - name: Specify authorized keys file for other users
+      ansible.builtin.copy:
+        src: "ssh/{{ item.name }}/authorized_keys"
+        dest: "{{ item.home }}/.ssh/authorized_keys"
+        force: yes
+        backup: yes
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        mode: "0600"
+      tags:
+        - other_users
+        - others_ssh
+      loop: "{{ created_user }}"
+      register: authorized_ssh_pubkeys
+- name: Lock down root SSH access
+  when: ansible_facts["user_id"] == "root"
+  block:
+    - name: Constrain SSH authentication methods to using SSH key
+      ansible.builtin.copy:
+        src: sshd_config.d/auth.conf
+        dest: /etc/ssh/sshd_config.d/auth.conf
+        force: yes
+        backup: yes
+        mode: "0644"
+      tags:
+        - depass_root
+      register: constrained_auth
+    - name: Prohibit access to root via SSH
+      ansible.builtin.copy:
+        src: sshd_config.d/denyroot.conf
+        dest: /etc/ssh/sshd_config.d/denyroot.conf
+        force: yes
+        backup: yes
+        mode: "0644"
+      tags:
+        - prohib_root_ssh
+      register: prohibited_root_ssh_login
+    - name: Lock the root account
+      when: include_root_lock
+      ansible.builtin.user:
+        name: root
+        password_lock: yes
+      tags:
+        - delog_root
+      register: prohibited_root_login
+  tags:
+    - default
+    - deroot
+  notify: "restart ssh"
+- name: Import disabling of shell root by sys-admin user
+  ansible.builtin.import_tasks:
+    file: ./deshell.yml