Added new ansible home directory, moving roles into its 'roles' subdirectory

.ansible/roles/bootstrap/tasks/auth@ssh.yml

@@ -0,0 +1,19 @@
+---
+- name: Add authorized keys for SSH access to accounts
+  ansible.posix.authorized_keys:
+    user: "{{ item[0] }}"
+    key: "{{ item[1] }}"
+    state: present
+    validate_certs: no
+  loop: "{{ pubkeys }}"
+  register: pubkeys_assigned
+  tags: ['default', 'assign_pubkeys']
+- name: Disable SSH password authentication
+  copy:
+    src: sshd/nopass.conf
+    dest: /etc/ssh/sshd_config.d/nopass.conf
+    owner: "{{ primary_root_acct }}"
+    group: "{{ primary_root_acct }}"
+    force: yes
+  register: ssh_passauth_disabled
+  tags: ['default', 'disable_ssh_passauth']

.ansible/roles/bootstrap/tasks/config@corepkgs.yml

@@ -0,0 +1,19 @@
+---
+- name: Configure gnupg and gocryptfs
+  import_tasks:
+    file: configure_core/gpg.yml
+- name: Configure git
+  import_tasks:
+    file: configure_core/git.yml
+- name: Configure fail2ban
+  import_tasks:
+    file: configure_core/fail2ban.yml
+- name: Configure ClamAV
+  import_tasks:
+    file: configure_core/clamav.yml
+- name: Configure crowdsec
+  import_tasks:
+    file: configure_core/crowdsec.yml
+# - name: Configure certbot and its plugins
+#   import_tasks:
+#     file: configure_core/certbot.yml

.ansible/roles/bootstrap/tasks/configure_core/certbot.yml

@@ -0,0 +1,42 @@
+---
+- name: Create a settings file for Porkbun DNS API
+  become: yes
+  become_method: sudo
+  template:
+    src: certbot/porkbun.ini.j2
+    dest: "{{ web_root }}/porkbun.ini"
+    force: yes
+    backup: yes
+  register: porkbun_api_created
+- name: Initiate DNS Acme challenge using Porkbun API plugin
+  become: yes
+  become_method: sudo
+  command:
+    argv:
+      - certbot
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --email=ajt95@prole.biz
+      - --preferred-challenges=dns
+      - --authenticator=dns-porkbun
+      - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
+      - --dns-porkbun-propagation-seconds=60
+      - -d="sukaato.moe"
+  when: porkbun_api_created.rc == 0
+- name: Initiate DNS Acme challenge using Porkbun API plugin
+  become: yes
+  become_method: sudo
+  command:
+    argv:
+      - certbot
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --email=ajt95@prole.biz
+      - --preferred-challenges=dns
+      - --authenticator=dns-porkbun
+      - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
+      - --dns-porkbun-propagation-seconds=60
+      - -d="*.sukaato.moe"
+  when: porkbun_api_created.rc == 0

.ansible/roles/bootstrap/tasks/configure_core/clamav.yml

@@ -0,0 +1,94 @@
+---
+#@TODO write handlers for configuring clamav
+#@NOTE https://wiki.archlinux.org/title/ClamAV
+- name: Create freshclam file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/freshclam.conf
+    dest: /etc/clamav/freshclam.conf
+    force: yes
+    backup: yes
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamd.conf
+    dest: /etc/clamav/clamd.conf
+    force: yes
+    backup: yes
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamav-milter.conf
+    dest: /etc/clamav/clamav-milter.conf
+    force: yes
+    backup: yes
+- name: Update clamav virus definitions
+  become: yes
+  become_method: sudo
+  command: freshclam
+- name: Start and enable clamav service
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+- name: Start and enable clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: started
+    enabled: yes
+- name: Restart clamav service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-daemon
+    state: restarted
+- name: Restart clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: restarted
+- name: Create freshclam log file
+  become: yes
+  become_method: sudo
+  file:
+    path: /var/log/clamav/freshclam.log
+    state: touch
+    mode: 600
+    owner: clamav
+- name: Start and enable freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: started
+    enabled: yes
+- name: Restart freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: restarted
+- name: Install Fangfrisch
+  become: yes
+  become_method: sudo
+  package:
+    name: fangfrisch
+    state: present
+- name: Create database structure for fangfrisch
+  become_user: clamav
+  become_method: sudo
+  command:
+    argv: [/usr/bin/fangfrisch, --conf, /etc/fangfrisch/fangfrisch.conf, initdb]
+- name: Start and enable fangfrisch virus definition updates
+  become: yes
+  become_method: sudo
+  service:
+    name: fangfrisch.timer
+    state: started
+    enabled: yes

.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml

@@ -0,0 +1,53 @@
+---
+#@TODO write handlers for configuring crowdsec
+- name: Enroll your crowdsec installation
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, console, enroll -e, context, "{{ enrollment_key }}"]
+  register: crowdsec_enrolled
+- name: Install caddy crowdsec collection 
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/caddy]
+- name: Install proftpd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/proftpd]
+- name: Install sshd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/sshd]
+- name: Install postgresql crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/pgsql]
+- name: Install denial-of-service HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/http-dos]
+- name: Install HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/base-http-scenarios]
+- name: Install Postfix crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/postfix]
+- name: Update crowdsec objects
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, hub, update]
+- name: Upgrade crowdsec objects
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, hub, upgrade]

.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml

@@ -0,0 +1,76 @@
+---
+- name: Check if path to fail2ban configuration files exists
+  stat:
+    path: /etc/fail2ban/jail.d
+  register: fail2path
+- name: Check if path to systemd fail2ban service configuration files exists
+  stat:
+    path: /etc/systemd/system/fail2ban.service.d
+  register: fail2serve_path
+- name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
+  file:
+    path: /etc/fail2ban/jail.d
+    state: directory
+  register: fail2bandir_created
+  when: not fail2path.stat.exists
+- name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
+  file:
+    path: /etc/systemd/system/fail2ban.service.d
+    state: directory
+  register: fail2servdir_created
+  when: not fail2serve_path.stat.exists
+- name: Copy protftpd jail file
+  become: yes
+  become_method: sudo
+  copy:
+    src: ftp.local
+    dest: /etc/fail2ban/jail.d/ftp.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy sshd jail file
+  become: yes
+  become_method: sudo
+  copy:
+    src: sshd.local
+    dest: /etc/fail2ban/jail.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy fail2ban modified service configuration
+  become: yes
+  become_method: sudo
+  copy:
+    src: override.conf
+    dest: /etc/systemd/system/fail2ban.service.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2serve_path.stat.exists
+- name: Reload fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: reloaded
+  register: fail2ban_reloaded
+- name: Start and enable fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes
+  register: fail2ban_running
+  when: fail2ban_reloaded
+- name: Restart fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: restarted
+  register: fail2ban_restarted
+  when: fail2ban_reloaded

.ansible/roles/bootstrap/tasks/configure_core/git.yml

@@ -0,0 +1,123 @@
+---
+- name: Set default branch name
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: init.defaultBranch
+    value: main
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitedit_set
+- name: Set default git text editor
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.editor
+    value: vim
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitedit_set
+- name: Create directory for some git files
+  file:
+    path: "{{ ansible_facts['user_dir'] }}/.config/git"
+    state: directory
+  register: gitdir_created
+- name: Create git commit message template file
+  copy:
+    src: git/gitmessage
+    dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
+    force: yes
+    backup: yes
+  register: gittemp_created
+- name: Set a commit template file for git
+  community.general.git_config:
+    name: commit.template
+    value: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gittemp_set
+- name: Set git key format to OpenPGP
+  community.general.git_config:
+    name: gpg.format
+    value: "openpgp"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitkeyformat_set
+  #@TODO: Add a gpg section to group_var or host_var vaults
+- name: Set a user signing key for git
+  community.general.git_config:
+    name: user.signingkey
+    value: "{{ gpg_sign_id }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitsignkey_registered
+- name: Set key signage to occur for commits by default in git
+  community.general.git_config:
+    name: commit.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Set key signage to occur for tagging by default in git
+  community.general.git_config:
+    name: tag.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Create a boilerplate gitignore file for git
+  copy:
+    src: git/gitignore.sample
+    dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
+    force: yes
+    backup: yes
+  register: gitgignore_created
+- name: Set boilerplate gitignore file in global scope
+  community.general.git_config:
+    name: core.excludesfile
+    value: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitgignore_set
+- name: Set autocorrect for git
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: help.autocorrect
+    value: 0
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitautocorr_set
+- name: Set git to replace CRLF endings when pulling
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.autocrlf
+    value: input
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitcrlf_set
+- name: Set git username
+  community.general.git_config:
+    name: user.name
+    value: "{{ official_name | default(ansible_facts['user_id'], true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gituser_set
+- name: Set git user email
+  community.general.git_config:
+    name: user.email
+    value: "{{ official_email | default('admin@' ~ domain_name, true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitemail_set

.ansible/roles/bootstrap/tasks/configure_core/gpg.yml

@@ -0,0 +1,89 @@
+---
+- name: Copy and import GPG keypairs to remote host
+  block:
+    - name: Create cipher directory for gocryptfs
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers"
+        state: directory
+    - name: Create a gocryptfs vault
+      command:
+        argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/.ciphers"]
+        stdin: "{{ gcfs_password }}"
+      register: gcfs_masterkey_created
+    - name: Create temporary file for password
+      tempfile:
+        prefix: gcfs_passfile
+        state: file
+      register: tempfile_created
+    - name: Put password in temporary file
+      lineinfile:
+        path: "{{ tempfile_created.path }}"
+        line: "{{ gcfs_password }}"
+        state: present
+      when: tempfile_created
+    - name: Create directory for storing gocryptfs decryption configuration files
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers"
+        state: directory
+    - name: Get gocryptfs decryption configuration file metadata
+      stat:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers"
+      when: gcfs_masterkey_created.rc == 0
+      register: gcfs_vault
+    - name: Copy gocryptfs decryption configuration to another directory
+      copy:
+        remote_src: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
+        dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
+        force: yes
+        backup: yes
+      register: gocryptfs_conf_copied
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
+    - name: Remove gocryptfs decryption configuration from source directory
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
+        state: absent
+      register: gocryptfs_orig_conf_removed
+      when: gocryptfs_conf_copied
+    - name: Mount the gocryptfs vault
+      ansible.posix.mount:
+        src: "{{ ansible_facts['user_dir'] }}/.ciphers"
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain"
+        state: ephemeral
+        fstype: fuse./usr/bin/gocryptfs
+        opts: "nofail,passfile={{ tempfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
+      register: gcfs_mounted
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
+    - name: Create directory in decrypted gocryptfs vault
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg"
+        state: directory
+      when: gcfs_mounted
+    - name: Copy GPG keypair
+      copy:
+        src: "gpg/{{ ansible_facts['user_id'] }}/{{ item }}"
+        dest: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"
+        force: yes
+        backup: yes
+      loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
+      register: gpgkeys_copied
+      when: gcfs_mounted
+    - name: Import GPG keypair
+      become: yes
+      become_method: sudo
+      command:
+        argv: [gpg, --import, "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"]
+      loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
+      register: gpgkeys_imported
+      when: gpgkeys_copied and gcfs_mounted
+    #@TODO create handler that sends copy of gcfs_masterkey_created somehow
+    - name: Unmount the gocryptfs vault
+      ansible.posix.mount:
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/plains"
+        state: unmounted
+      register: gcfs_unmounted
+      when: gpgkeys_copied and gcfs_mounted
+    # - name: Unmount the gocryptfs vault
+    #   command:
+    #     argv: [fusermount, -u, "{{ ansible_facts['user_dir'] }}/.mnt/plains"]
+    #   when: gpgkeys_copied and gcfs_mounted
+  register: gpg_keypair_copy

.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml

@@ -0,0 +1,19 @@
+---
+- name: Configure ProFTPd
+  block:
+    - name: Apply proftpd configuration template
+      become: yes
+      become_method: sudo
+      template:
+        src: proftpd/proftpd.conf.j2
+        dest: /etc/proftpd/proftpd.conf
+        force: yes
+        backup: yes
+    - name: Apply proftpd virtualhost configuration template
+      become: yes
+      become_method: sudo
+      template:
+        src: proftpd/vhost.conf.j2
+        dest: /etc/proftpd/conf.d/hosts.conf
+        force: yes
+        backup: yes

.ansible/roles/bootstrap/tasks/core_installations.yml

@@ -0,0 +1,7 @@
+---
+- name: Install natively available core system packages
+  package:
+    name: "{{ item.package }}"
+    state: present
+  loop: "{{ combine(server_pkgs, virtualization_pkgs, pkgmanager_pkgs, cli_pkgs, coding_pkgs, media_pkgs) }}"
+  register: native_done

.ansible/roles/bootstrap/tasks/core_installations@Debian.yml

@@ -0,0 +1,44 @@
+---
+- name: Register new repositories
+  block:
+    - name: Grab keys for foreign package repositories
+      get_url:
+        url: "{{ item.key }}"
+        dest: "{{ item.key_dest }}"
+        group: root
+        owner: root
+        force: true
+      when: item.key is defined and item.key_orig_is_url
+    - name: Add (i.e., render native) the foreign package repositories
+      get_url:
+        url: "{{ item.repo }}"
+        dest: "{{ item.repo_dest }}"
+        group: root
+        owner: root
+        force: true
+      when: item.repo is defined and item.repo_orig_is_url
+    - name: Grab keys for foreign package repositories
+      copy:
+        src: "{{ item.key }}"
+        dest: "{{ item.key_dest }}"
+        group: root
+        owner: root
+        force: true
+      when: item.key is defined and not item.key_orig_is_url
+    - name: Add (i.e., render native) the foreign package repositories
+      copy:
+        src: "{{ item.repo }}"
+        dest: "{{ item.repo_dest }}"
+        group: root
+        owner: root
+        force: true
+      when: item.repo is defined and not item.repo_orig_is_url
+  loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
+  register: repos_added
+  notify: update
+- name: Install newly available packages
+  package:
+    name: "{{ item.package }}{{ item.version }}"
+    state: latest
+  loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
+  register: foreign_pkgs_done

.ansible/roles/bootstrap/tasks/core_installations@podman.yml

@@ -0,0 +1,8 @@
+---
+- name: Pull necessary images for containers
+  containers.podman.podman_image:
+    name: "{{ item.uri }}"
+    tag: "{{ item.tag }}"
+    pull: yes
+    state: present
+  loop: "{{ core_cimages }}"

.ansible/roles/bootstrap/tasks/denyroot.yml

@@ -0,0 +1,34 @@
+---
+- name: Disable shell session root login
+  user:
+    name: "{{ item.username }}"
+    shell: /sbin/nologin
+  loop: "{{ roots }}"
+  register: root_deshelled
+  when: nonlogin_method == 'deshell'
+  tags: ['default', 'root_deshelling']
+- name: Lock the root account
+  user:
+    name: "{{ item.username }}"
+    password_lock: yes
+  loop: "{{ roots }}"
+  register: root_locked
+  when: nonlogin_method == 'lock' or nonlogin_method == 'all'
+  tags: ['default', 'root_locking']
+- name: Disable root account password
+  user:
+    name: "{{ item.username }}"
+    password: "*"
+  loop: "{{ roots }}"
+  register: root_closed
+  when: nonlogin_method == 'close'
+  tags: ['default', 'root_closing']
+- name: Disable root account password and shell login
+  user:
+    name: "{{ item.username }}"
+    password: "*"
+    shell: /sbin/nologin
+  loop: "{{ roots }}"
+  register: root_delogged
+  when: nonlogin_method == 'delog' or nonlogin_method == 'all'
+  tags: ['default', 'root_locking']

.ansible/roles/bootstrap/tasks/denyroot@ssh.yml

@@ -0,0 +1,10 @@
+---
+- name: Disable remote login for root
+  copy:
+    src: sshd/denyroot.conf
+    dest: /etc/ssh/sshd_config.d/denyroot.conf
+    owner: "{{ primary_root_acct }}"
+    group: "{{ primary_root_acct }}"
+    force: yes
+  register: sshroot_disabled
+  tags: ['default', 'deny_sshroot']

.ansible/roles/bootstrap/tasks/extra_installations.yml

@@ -0,0 +1,7 @@
+---
+- name: Install natively available core system packages
+  package:
+    name: "{{ item.package }}"
+    state: present
+  loop: "{{ my_pkgs }}"
+  register: extra_done

.ansible/roles/bootstrap/tasks/extra_installations@podman.yml

@@ -0,0 +1,8 @@
+---
+- name: Pull recommended images for containers
+  containers.podman.podman_image:
+    name: "{{ item.uri }}"
+    tag: "{{ item.tag }}"
+    pull: yes
+    state: present
+  loop: "{{ recc_cimages }}"

.ansible/roles/bootstrap/tasks/groups.yml

@@ -0,0 +1,9 @@
+---
+- name: Create system groups
+  group:
+    name: "{{ item.group_name }}"
+    system: yes
+    state: present
+  loop: "{{ sys_groups }}"
+  register: groups_created
+  tags: ['default']

.ansible/roles/bootstrap/tasks/main.yml

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for common

.ansible/roles/bootstrap/tasks/upgrade@Debian.yml

@@ -0,0 +1,7 @@
+---
+- name: Update repositories cache
+  apt:
+    update_cache: yes
+    upgrade: "{{ upgrade_type }}"
+  register: system_upgraded
+  tags: ['upgrade_pkgs']

.ansible/roles/bootstrap/tasks/users@Debian.yml

@@ -0,0 +1,45 @@
+---
+- name: Create administrative user
+  user:
+    name: "{{ item.username }}"
+    system: no
+    create_home: yes
+    append: yes
+    groups:
+      - sudo
+    shell: /bin/bash
+    password: "{{ item.password }}"
+    password_expire_max: 186
+    password_expire_min: 93
+    password_expire_warn: 15
+    state: present
+  loop: "{{ admins }}"
+  register: admins_created
+  when: admins is defined
+  tags: ['default', 'add_admins']
+- name: Create guest user
+  user:
+    name: "{{ item.username }}"
+    system: no
+    create_home: yes
+    shell: /bin/bash
+    state: present
+  loop: "{{ guests }}"
+  register: guests_created
+  when: guests is defined
+  tags: ['add_guests']
+- name: Create standard users
+  user:
+    name: "{{ item.username }}"
+    system: no
+    create_home: yes
+    shell: "/bin/bash"
+    password: "{{ item.password }}"
+    password_expire_max: 93
+    password_expire_min: 30
+    password_expire_warn: 7
+    state: present
+  loop: "{{ users }}"
+  register: users_created
+  when: users is defined
+  tags: ['default', 'add_users']