boma/playbooks/bootstrap.yml

---
# bootstrap.yml — first-run setup for a new host
# Handles hosts that may not yet have Python installed
# Run via: make deploy PLAYBOOK=bootstrap

- name: Bootstrap new host
  hosts: "{{ target | default('all') }}"
  become: true
  gather_facts: false

  tasks:
    - name: Ensure Python 3 is installed
      ansible.builtin.raw: |
        apt-get update -qq && apt-get install -y python3
      changed_when: false
      tags: [bootstrap]

    - name: Gather facts after Python install
      ansible.builtin.setup:
      tags: [bootstrap]

    - name: Ensure ansible user exists
      ansible.builtin.user:
        name: ansible
        shell: /bin/bash
        create_home: true
        system: false
      tags: [bootstrap]

    - name: Add ansible user to sudoers
      ansible.builtin.copy:
        dest: /etc/sudoers.d/ansible
        content: "ansible ALL=(ALL) NOPASSWD:ALL\n"
        mode: "0440"
        validate: visudo -cf %s
      tags: [bootstrap]