30 files changed, 225 insertions, 111 deletions

diff --git a/base.yml b/base.yml
deleted file mode 100644
index 9689f4a..0000000
--- a/base.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Configure Alpine VMs
-  hosts: alpine
-  become: true
-  roles:
-    - alpine
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 28c4706..a729989 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,3 +1,26 @@
 ssh_authorized_keys:
   - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTZhIaet4Sxb9n7W/LJezqb5XmgAXWzjS907rUdeukq freya@freyacat.org"
   - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzMST2uiVueyaMfF/BdnOCwdkmHa0lSjh2U6hByUHlj backup"
+
+# list of common package names
+# that are the same across distros
+base_packages:
+  - bash
+  - coreutils
+  - curl
+  - dosfstools
+  - e2fsprogs
+  - git
+  - htop
+  - jq
+  - neovim
+  - openssl
+  - p7zip
+  - python3
+  - ripgrep
+  - rsync
+  - sed
+  - tar
+  - util-linux
+  - xauth
+  - zstd
diff --git a/group_vars/alpine.yml b/group_vars/alpine.yml
index d44a2d2..812e2ac 100644
--- a/group_vars/alpine.yml
+++ b/group_vars/alpine.yml
@@ -1 +1,9 @@
 alpine_version: "v3.23"
+
+openssh_pkg: "openssh"
+openssh_service: "sshd"
+
+man_pkg: "man-db"
+man_pages_pkg: "man-pages"
+bind_pkg: "bind-tools"
+passwd_pkg: "shadow"
diff --git a/group_vars/debian.yml b/group_vars/debian.yml
new file mode 100644
index 0000000..9b7201e
--- /dev/null
+++ b/group_vars/debian.yml
@@ -0,0 +1,9 @@
+debian_version: "trixie"
+
+openssh_pkg: "openssh-server"
+openssh_service: "ssh"
+
+man_pkg: "man-db"
+man_pages_pkg: "manpages"
+bind_pkg: "bind9-dnsutils"
+passwd_pkg: "passwd"
diff --git a/inventory/hosts b/inventory/hosts
index 26431e3..477b1bd 100644
--- a/inventory/hosts
+++ b/inventory/hosts
@@ -13,7 +13,15 @@ xmpp.in.freya.cat
 vpn.in.freya.cat
 cron.in.freya.cat
 
-[alpine:vars]
+[debian]
+jenkins.in.freya.cat
+
+[all:vars]
 ansible_user=root
 ansible_become=false
+
+[alpine:vars]
 ansible_python_interpreter=/usr/bin/python
+
+[debian:vars]
+ansible_python_interpreter=/usr/bin/python3
diff --git a/main.yml b/main.yml
new file mode 100644
index 0000000..8b0949b
--- /dev/null
+++ b/main.yml
@@ -0,0 +1,13 @@
+- name: Configure Alpine VMs
+  hosts: alpine
+  become: true
+  roles:
+    - alpine
+    - common
+
+- name: Configure Debian VMs
+  hosts: debian
+  become: true
+  roles:
+    - debian
+    - common
diff --git a/roles/alpine/tasks/caddy.yml b/roles/alpine/tasks/caddy.yml
deleted file mode 100644
index b76caee..0000000
--- a/roles/alpine/tasks/caddy.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-- name: Install caddy
-  apk:
-    name:
-      - caddy
-    state: present
-
-- name: Configure caddy
-  copy:
-    src: Caddyfile
-    dest: /etc/caddy/Caddyfile
-    owner: root
-    group: root
-    mode: '0664'
-
-- name: Ensure Caddy log file exists
-  file:
-    path: /var/log/caddy
-    state: touch
-    owner: caddy
-    group: caddy
-    mode: '0664'
-
-- name: Enable caddy service
-  service:
-    name: caddy
-    enabled: true
-    state: started
diff --git a/roles/alpine/tasks/chrony.yml b/roles/alpine/tasks/chrony.yml
index be76de5..79c7b1d 100644
--- a/roles/alpine/tasks/chrony.yml
+++ b/roles/alpine/tasks/chrony.yml
@@ -1,7 +1,6 @@
 - name: Install chrony
   apk:
-    name:
-      - chrony
+    name: chrony
     state: present
 
 - name: Enable chronyd service
diff --git a/roles/alpine/tasks/main.yml b/roles/alpine/tasks/main.yml
index ab96669..26dba82 100644
--- a/roles/alpine/tasks/main.yml
+++ b/roles/alpine/tasks/main.yml
@@ -1,13 +1,2 @@
-# baseline
 - import_tasks: repos.yml
-- import_tasks: packages.yml
-- import_tasks: certs.yml
-
-# programs
-- import_tasks: zsh.yml
-- import_tasks: tmux.yml
-
-# services
-- import_tasks: caddy.yml
 - import_tasks: chrony.yml
-- import_tasks: ssh.yml
diff --git a/roles/alpine/tasks/packages.yml b/roles/alpine/tasks/packages.yml
deleted file mode 100644
index 8dedc53..0000000
--- a/roles/alpine/tasks/packages.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-- name: Install base packages
-  apk:
-    name:
-      - alpine-base
-      - bash
-      - bind-tools
-      - busybox-mdev-openrc
-      - cfdisk
-      - coreutils
-      - curl
-      - dosfstools
-      - e2fsprogs
-      - git
-      - htop
-      - jq
-      - linux-firmware-none
-      - linux-virt
-      - lsblk
-      - man-db
-      - man-pages
-      - neovim
-      - openssl
-      - p7zip
-      - python3
-      - ripgrep
-      - rsync
-      - sed
-      - shadow
-      - syslinux
-      - xauth
-    state: present
diff --git a/roles/alpine/tasks/zsh.yml b/roles/alpine/tasks/zsh.yml
deleted file mode 100644
index 27f45d2..0000000
--- a/roles/alpine/tasks/zsh.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-- name: Install zsh
-  apk:
-    name:
-      - zsh
-    state: present
-
-- name: Configure zsh
-  copy:
-    src: zshrc
-    dest: /etc/zsh/zshrc.d/freya.zsh
-    owner: root
-    group: root
-    mode: '0664'
-
-- name: Ensure root user shell is zsh
-  user:
-    name: root
-    shell: /bin/zsh
diff --git a/roles/alpine/files/Caddyfile b/roles/common/files/Caddyfile
index 8d4e967..9850012 100644
--- a/roles/alpine/files/Caddyfile
+++ b/roles/common/files/Caddyfile
@@ -8,7 +8,7 @@
 
 (logs) {
 	log {
-		output file /var/log/caddy {
+		output file /var/log/caddy.log {
 			roll_size 10mb
 			roll_keep 7
 			roll_keep_for 720h
diff --git a/roles/alpine/files/freyanet.crt b/roles/common/files/freyanet.crt
index 36309d8..36309d8 100644
--- a/roles/alpine/files/freyanet.crt
+++ b/roles/common/files/freyanet.crt
diff --git a/roles/alpine/files/sshd_config b/roles/common/files/sshd_config
index f2ec50e..f2ec50e 100644
--- a/roles/alpine/files/sshd_config
+++ b/roles/common/files/sshd_config
diff --git a/roles/alpine/files/tmux-window.sh b/roles/common/files/tmux/tmux-window.sh
index 1cdacf0..1cdacf0 100644
--- a/roles/alpine/files/tmux-window.sh
+++ b/roles/common/files/tmux/tmux-window.sh
diff --git a/roles/alpine/files/tmux.conf b/roles/common/files/tmux/tmux.conf
index f468d55..f468d55 100644
--- a/roles/alpine/files/tmux.conf
+++ b/roles/common/files/tmux/tmux.conf
diff --git a/roles/alpine/files/zshrc b/roles/common/files/zshrc
index fc01188..fc01188 100644
--- a/roles/alpine/files/zshrc
+++ b/roles/common/files/zshrc
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
new file mode 100644
index 0000000..91826d6
--- /dev/null
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Update CA Certificates
+  command: update-ca-certificates
diff --git a/roles/common/tasks/caddy.yml b/roles/common/tasks/caddy.yml
new file mode 100644
index 0000000..3d2541e
--- /dev/null
+++ b/roles/common/tasks/caddy.yml
@@ -0,0 +1,49 @@
+- name: Install caddy
+  package:
+    name: caddy
+    state: present
+
+- name: Ensure caddy group exists
+  group:
+    name: caddy
+    system: yes
+    state: present
+
+- name: Ensure caddy user exists
+  user:
+    name: caddy
+    group: caddy
+    system: yes
+    create_home: no
+    shell: /usr/sbin/nologin
+    state: present
+
+- name: Create caddy configuration directory
+  file:
+    path: /etc/caddy
+    state: directory
+    owner: caddy
+    group: caddy
+    mode: '0755'
+
+- name: Configure caddy
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: caddy
+    group: caddy
+    mode: '0664'
+
+- name: Ensure Caddy log file exists
+  file:
+    path: /var/log/caddy.log
+    state: touch
+    owner: caddy
+    group: caddy
+    mode: '0664'
+
+- name: Enable caddy service
+  service:
+    name: caddy
+    enabled: true
+    state: started
diff --git a/roles/alpine/tasks/certs.yml b/roles/common/tasks/certs.yml
index 4d18cbe..cce2e73 100644
--- a/roles/alpine/tasks/certs.yml
+++ b/roles/common/tasks/certs.yml
@@ -1,5 +1,5 @@
 - name: Install ca-certificates
-  apk:
+  package:
     name: ca-certificates
     state: present
 
@@ -10,6 +10,4 @@
     owner: root
     group: root
     mode: '0664'
-
-- name: Update CA certs
-  command: update-ca-certificates
+  notify: Update CA Certificates
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..74088a6
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,11 @@
+# baseline
+- import_tasks: packages.yml
+- import_tasks: certs.yml
+
+# programs
+- import_tasks: zsh.yml
+- import_tasks: tmux.yml
+
+# services
+- import_tasks: caddy.yml
+- import_tasks: ssh.yml
diff --git a/roles/common/tasks/packages.yml b/roles/common/tasks/packages.yml
new file mode 100644
index 0000000..60fd285
--- /dev/null
+++ b/roles/common/tasks/packages.yml
@@ -0,0 +1,12 @@
+- name: Install base packages
+  package:
+    name: "{{ base_packages }}"
+    state: present
+
+- name: Install keys packages
+  package:
+    name:
+      - "{{ man_pkg }}"
+      - "{{ man_pages_pkg }}"
+      - "{{ bind_pkg }}"
+      - "{{ passwd_pkg }}"
diff --git a/roles/alpine/tasks/ssh.yml b/roles/common/tasks/ssh.yml
index c92405e..36498fb 100644
--- a/roles/alpine/tasks/ssh.yml
+++ b/roles/common/tasks/ssh.yml
@@ -1,17 +1,21 @@
 - name: Install openssh
-  apk:
-    name:
-      - openssh
+  package:
+    name: "{{ openssh_pkg }}"
     state: present
 
 - name: Configure sshd
   copy:
     src: sshd_config
-    dest: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.d/10-freya.conf
     owner: root
     group: root
     mode: '0664'
 
+- name: Remove old sshd config
+  file:
+    path: /etc/shh/sshd_config.d/freya.yml
+    state: absent
+
 - name: Configure sshd authorized keys
   template:
     src: authorized_keys.j2
@@ -22,6 +26,6 @@
 
 - name: Enable sshd service
   service:
-    name: sshd
+    name: "{{ openssh_service }}"
     enabled: true
     state: started
diff --git a/roles/alpine/tasks/tmux.yml b/roles/common/tasks/tmux.yml
index bc5626f..7f8a653 100644
--- a/roles/alpine/tasks/tmux.yml
+++ b/roles/common/tasks/tmux.yml
@@ -1,12 +1,11 @@
 - name: Install tmux
-  apk:
-    name:
-      - tmux
+  package:
+    name: tmux
     state: present
 
 - name: Configure tmux
   copy:
-    src: tmux.conf
+    src: tmux/tmux.conf
     dest: /etc/tmux.conf
     owner: root
     group: root
@@ -14,7 +13,7 @@
 
 - name: Configure tmux window script
   copy:
-    src: tmux-window.sh
+    src: tmux/tmux-window.sh
     dest: /usr/local/bin/tmux-window.sh
     owner: root
     group: root
diff --git a/roles/common/tasks/zsh.yml b/roles/common/tasks/zsh.yml
new file mode 100644
index 0000000..aabcfac
--- /dev/null
+++ b/roles/common/tasks/zsh.yml
@@ -0,0 +1,40 @@
+- name: Install zsh
+  package:
+    name: zsh
+    state: present
+
+- name: Ensure zshrc.d directory exists
+  file:
+    path: /etc/zsh/zshrc.d
+    state: directory
+    mode: '0755'
+
+- name: Enable zshrc.d loading
+  blockinfile:
+    path: /etc/zsh/zshrc
+    block: |
+      # Load modular zsh config
+      if [ -d /etc/zsh/zshrc.d ]; then
+        for file in /etc/zsh/zshrc.d/*.zsh; do
+          [ -r "$file" ] && source "$file"
+        done
+      fi
+  when: ansible_distribution == "Debian"
+
+- name: Configure zsh
+  copy:
+    src: zshrc
+    dest: /etc/zsh/zshrc.d/10-freya.zsh
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Remove old zsh config
+  file:
+    path: /etc/zsh/zshrc.d/freya.yml
+    state: absent
+
+- name: Ensure root user shell is zsh
+  user:
+    name: root
+    shell: /bin/zsh
diff --git a/roles/alpine/templates/authorized_keys.j2 b/roles/common/templates/authorized_keys.j2
index d9f6386..d9f6386 100644
--- a/roles/alpine/templates/authorized_keys.j2
+++ b/roles/common/templates/authorized_keys.j2
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
new file mode 100644
index 0000000..f65d49f
--- /dev/null
+++ b/roles/debian/tasks/main.yml
@@ -0,0 +1 @@
+- import_tasks: sources.yml
diff --git a/roles/debian/tasks/sources.yml b/roles/debian/tasks/sources.yml
new file mode 100644
index 0000000..f3bb287
--- /dev/null
+++ b/roles/debian/tasks/sources.yml
@@ -0,0 +1,10 @@
+- name: Configure APT repositories
+  template:
+    src: debian.sources.j2
+    dest: /etc/apt/sources.list.d/debian.sources
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Update APT cache
+  command: apt update
diff --git a/roles/debian/templates/debian.sources.j2 b/roles/debian/templates/debian.sources.j2
new file mode 100644
index 0000000..097c32b
--- /dev/null
+++ b/roles/debian/templates/debian.sources.j2
@@ -0,0 +1,20 @@
+# Modernized from /etc/apt/sources.list
+Types: deb deb-src
+URIs: http://deb.debian.org/debian/
+Suites: {{ debian_version }}
+Components: main non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# Modernized from /etc/apt/sources.list
+Types: deb deb-src
+URIs: http://security.debian.org/debian-security/
+Suites: {{ debian_version }}-security
+Components: main non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# Modernized from /etc/apt/sources.list
+Types: deb deb-src
+URIs: http://deb.debian.org/debian/
+Suites: {{ debian_version }}-updates
+Components: main non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
diff --git a/update.yml b/update.yml
index 6f7b577..76ff081 100644
--- a/update.yml
+++ b/update.yml
@@ -1,4 +1,4 @@
-- name: Update Alpine VMs
+- name: Update VMs
   hosts: all
   become: true
   roles: