Creted test playbook to setup LXC with my settings. Added secrets example and variables

apt_upgrade.yml

@@ -1,5 +1,5 @@
 - name: Upgrade packages
-  hosts: vms
+  hosts: ubuntu
   become: true
 
   tasks:

example_secrets.yml

@@ -0,0 +1,2 @@
+# Copy this into secrets.yml and replate with a real values
+ansible_password: 'REPLACE_WITH_ROOT_PASSWORD'

lxc_setup_ubuntu.yml

@@ -0,0 +1,58 @@
+---
+- name: Secure and Configure a New LXC Container
+  hosts: ansible # Hosts or group defined in your inventory
+  become: yes # Run all tasks as root (sudo)
+  tasks:
+    - name: 1. Create user '{{ target_user }}'
+      ansible.builtin.user:
+        name: {{ target_user }}
+        shell: /bin/bash
+        groups: sudo # Add to sudo (for Debian/Ubuntu)
+        state: present
+
+    - name: 1.1. Allow '{{ target_user }}' to use sudo without a password
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
+        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+
+    - name: 2. Set up authorized_keys for '{{ target_user }}'
+      ansible.posix.authorized_key:
+        user: {{ target_user }}
+        key: "{{ item }}"
+        state: present
+        path: /home/{{ target_user }}/.ssh/authorized_keys
+        mode: '0600'
+      loop: "{{ my_public_keys }}"
+      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
+
+    - name: 3. Lock password for '{{ target_user }}'
+      ansible.builtin.user:
+        name: {{ target_user }}
+        password_lock: yes
+
+    - name: 4.1. Disallow root login over SSH
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+    - name: 4.2. Disallow password authentication
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        validate: /usr/sbin/sshd -t -f %s
+      notify: restart sshd
+
+  handlers:
+    # This block will only run if at least one task sends a notification.
+    # This prevents unnecessary service restarts.
+    - name: 5. Restart sshd server
+      listen: "restart sshd"
+      ansible.builtin.service:
+        name: sshd
+        state: restarted

vars.yml

@@ -0,0 +1,6 @@
+target_user: 'mbuz'
+
+my_public_keys:
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSGj0dxaA38QSBVY3DZiPb+qmIuTFxGo0mt4sbmYDa3 mbuz@macbook-pro"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpvRkew+XpOAt7I/mizQbE/OJP1SO6NVl2/A1ZGzdU3 mbuz@windows-desktop"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWMJbHDCB8XCxPGth1229A3W/sPpvJHO9xBvegv4Sx mbuz@macbook-air"