---
- hosts: "{{ target | default('all') }}" # target inventory group, default all
  gather_facts: yes
  vars:
#    auto_update: "true"  # would configure dnf-automatic
#    hardened_ssh_port: "1181" # tcp is assumed in selinux/firewalld allowance
    URL_PUBKEYS: "https://github.com/joshlay.keys" # https://github.com/user.keys
  roles:
    - {role: btrfs}  # sets up scrubbing
    - {role: bootstrap}
    - {role: tuned}
    - {role: install-packages}
    - {role: update-packages} # depends on 'is_atomic' in bootstrap
    - {role: fedora-upgrade} # consider renaming to dist-upgrade / supporting more than fedora
    - {role: create-user}  # this should always follow packages; they often provide groups the user may want to join
    - {role: hardening}
    - {role: docker}