# System Setup Role

Performs initial system configuration including user creation, SSH hardening, and package installation.

## Features

- Creates admin user with SSH key authentication
- Hardens SSH configuration
- Installs essential packages
- Optional passwordless sudo
- Optional SSH host key regeneration
- System package updates (via system-maintenance role)

## Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `username` | `admin` | Username for the admin account |
| `password` | *required* | Password for the admin user |
| `shell` | `/bin/bash` | Default shell for the user |
| `passwordless_sudo` | `true` | Allow sudo without password |
| `ssh_pubkey_file` | *required* | Path to SSH public key file |
| `regenerate_ssh_host_keys` | `false` | Generate new SSH host keys |
| `extra_packages` | `[sudo, vim]` | Additional packages to install |

## Required Variables

You must provide these variables when using this role:

```yaml
password: "your_secure_password"
ssh_pubkey_file: "/path/to/your/public/key.pub"
```

## Usage

### Basic Setup
```yaml
- name: Initial system setup
  include_role:
    name: system-setup
  vars:
    password: "{{ admin_password }}"
    ssh_pubkey_file: "~/.ssh/id_rsa.pub"
```

### Custom Configuration
```yaml
- name: System setup with custom user
  include_role:
    name: system-setup
  vars:
    username: myuser
    password: "{{ user_password }}"
    shell: /bin/zsh
    ssh_pubkey_file: "keys/mykey.pub"
    passwordless_sudo: false
    regenerate_ssh_host_keys: true
    extra_packages:
      - sudo
      - vim
      - htop
      - git
```

## What It Does

1. **System Updates** - Calls system-maintenance role for package updates
2. **Package Installation** - Installs packages from `extra_packages` list
3. **User Creation** - Creates user with password and sudo access
4. **SSH Key Setup** - Configures authorized keys for the user
5. **SSH Hardening** - Applies secure SSH configuration
6. **Host Keys** - Optionally regenerates SSH host keys

## Requirements

- Root privileges
- SSH public key file accessible to Ansible
- system-maintenance role (dependency)

## Security Notes

- SSH configuration is hardened by default
- Password authentication can be disabled via SSH config
- User is added to sudo group
- SSH host key regeneration removes old keys completely