ansible-pull/roles/bastion/tasks/package_hardening.yml

---
- name: system setup | package hardening | remove unnecessary packages (Debian family)
  tags: packages,hardening,system
  package:
    name:
      # Daemons not needed on a bastion host
      - apache2*
      - nginx*
      - lighttpd*
      - samba*
      - nfs-kernel-server
      - bind9
      - postfix
      - cups*
      - avahi-daemon
      # Common utilities not required for a minimal system
      - popularity-contest
      - whoopsie
      - command-not-found
      # Games and fun stuff
      - bsdgames
      - fortune-mod
    state: absent
    purge: true # Also removes configuration files
  notify: update aide database
  when: ansible_os_family == "Debian"

- name: system setup | package hardening | remove unnecessary packages (RedHat family)
  tags: packages,hardening,system
  package:
    name:
      - httpd*
      - nginx*
      - samba*
      - nfs-utils
      - named
      - postfix
      - cups*
      - avahi
    state: absent
  notify: update aide database
  when: ansible_os_family == "RedHat"