refactor: split ansible book into roles

roles/common/tasks/main.yaml

@@ -0,0 +1,44 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/tasks.json
+
+- name: Create a user group named docker
+  loop: "{{ extra_groups }}"
+  ansible.builtin.group:
+    name: "{{ item }}"
+
+- name: Setup users
+  loop: "{{ users }}"
+  ansible.builtin.user:
+    state: present
+    name: "{{ item.name }}"
+    system: "{{ item.system }}"
+    shell: "{{ item.shell }}"
+    create_home: true
+    password: "{{ (item.password != '!' or item.password != '*') | ternary(item.password | password_hash('sha512'), item.password) }}"
+    groups: "{{ item.groups + extra_groups }}"
+
+- name: Add SSH public key to users
+  loop: "{{ users }}"
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    state: present
+    exclusive: true
+    key: "{{ item.ssh_keys.pub }}"
+    key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.name == 'robo' else omit }}"
+
+- name: Disable password authentication for SSH
+  become: true
+  notify: Restart sshd
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+    state: present
+
+- name: Allow authentication via ssh keys
+  become: true
+  notify: Restart sshd
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PubkeyAuthentication'
+    line: 'PubkeyAuthentication yes'
+    state: present