diff --git a/playbooks/deploy_exporters_vhosts.yml b/playbooks/deploy_exporters_vhosts.yml
index dedd548..87f375e 100644
--- a/playbooks/deploy_exporters_vhosts.yml
+++ b/playbooks/deploy_exporters_vhosts.yml
@@ -30,7 +30,6 @@
     exporters:
       endpoint: https://otel.svc.plus/api/default/
   roles:
-    - roles/vhosts/common/
     - roles/vhosts/node_exporter/
     - roles/vhosts/process_exporter/
     - roles/vhosts/otel-collector/
diff --git a/playbooks/roles/vhosts/common/defaults/main.yml b/playbooks/roles/vhosts/common/defaults/main.yml
index 6cd8a8f..a4e5551 100644
--- a/playbooks/roles/vhosts/common/defaults/main.yml
+++ b/playbooks/roles/vhosts/common/defaults/main.yml
@@ -1,12 +1,11 @@
 enable_set_timezone: true       # 默认启用 Set timezone
 enable_set_hostname: true       # 默认启用 Set hostname
-enable_install_packages: false  # 默认不安装额外的软件包
 enable_all_hosts_update: false  # 默认不更新所有主机的条目
 
 rsyslog_log_rotation:           # 可选的日志管理配置
   enable: true                  # 启用 rsyslog 日志管理
   rotate_count: 4               # 默认保留的日志文件数量
-  rotate_frequency: weekly      # 默认每周轮换, 可选：daily, hourly
+  rotate_frequency: daily      # 默认每周轮换, 可选：daily, hourly
   max_log_size: 100M            # 默认日志文件最大大小
 
 journald_log_rotation:          # 启用 journald 日志管理
@@ -17,6 +16,21 @@ journald_log_rotation:          # 启用 journald 日志管理
   system_max_use: 1G            # 默认系统日志最大使用空间
   runtime_max_use: 500M         # 默认运行时日志最大使用空间
 
+enable_install_packages: false  # 默认不安装额外的软件包
+# 包列表（可被 play/host/group 覆盖）
+common_packages:
+  - vault
+  - auditd
+  - uidmap
+  - fuse-overlayfs
+# 是否启用 Ubuntu 的 universe 组件（仅 Ubuntu）
+enable_ubuntu_universe: false
+# 是否启用 HashiCorp 官方仓库
+enable_hashicorp_repo: false
+# 可选：指定 suite，默认用系统发行版代号（jammy/bookworm 等）
+hashicorp_repo_suite: "{{ ansible_distribution_release }}"
+
+
     #config_temp:
     #  k8s-node:
     #    dns_servers:
@@ -36,8 +50,3 @@ journald_log_rotation:          # 启用 journald 日志管理
     #    selinux_enable: false
     #    ssh_auth:
     #      key: /root/.ssh/id_rsa.pub
-
-vhosts: []
-vhost_defaults:
-  root: /data/update-server
-  autoindex_paths: []
diff --git a/playbooks/roles/vhosts/common/tasks/install_packages.yml b/playbooks/roles/vhosts/common/tasks/install_packages.yml
new file mode 100644
index 0000000..baf101c
--- /dev/null
+++ b/playbooks/roles/vhosts/common/tasks/install_packages.yml
@@ -0,0 +1,122 @@
+---
+# Install & configure packages on Debian/Ubuntu, driven by defaults/main.yml only.
+
+- block:
+    #####################################################################
+    # 0) Sanitize HashiCorp APT repo to avoid Signed-By conflicts
+    #####################################################################
+    - name: Ensure /etc/apt/keyrings exists (new standard path)
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+      become: true
+
+    # 删除可能遗留的旧源（list）与旧 deb822（sources），保持只有一种格式
+    - name: Remove legacy HashiCorp .list repo (if any)
+      ansible.builtin.file:
+        path: /etc/apt/sources.list.d/hashicorp.list
+        state: absent
+      become: true
+
+    - name: Remove legacy HashiCorp deb822 .sources (to re-add cleanly)
+      ansible.builtin.file:
+        path: /etc/apt/sources.list.d/hashicorp.sources
+        state: absent
+      become: true
+
+    # 删除历史上可能存在的不同 keyring 路径，避免 APT 仍引用它们
+    - name: Remove legacy keyring in /usr/share/keyrings (if any)
+      ansible.builtin.file:
+        path: /usr/share/keyrings/hashicorp-archive-keyring.gpg
+        state: absent
+      become: true
+
+    # 统一用 /etc/apt/keyrings/hashicorp.gpg；先拿 ASCII，再 dearmor
+    - name: Fetch HashiCorp ASCII key
+      ansible.builtin.get_url:
+        url: https://apt.releases.hashicorp.com/gpg
+        dest: /etc/apt/keyrings/hashicorp.asc
+        mode: '0644'
+      when: enable_hashicorp_repo | default(true) | bool
+      become: true
+
+    - name: Dearmor HashiCorp key to .gpg
+      ansible.builtin.command:
+        cmd: "gpg --dearmor -o /etc/apt/keyrings/hashicorp.gpg /etc/apt/keyrings/hashicorp.asc"
+        creates: /etc/apt/keyrings/hashicorp.gpg
+      when: enable_hashicorp_repo | default(true) | bool
+      become: true
+
+    - name: Ensure keyring permissions (world-readable)
+      ansible.builtin.file:
+        path: /etc/apt/keyrings/hashicorp.gpg
+        owner: root
+        group: root
+        mode: '0644'
+        state: file
+      when: enable_hashicorp_repo | default(true) | bool
+      become: true
+
+    # 只保留 deb822 写法，使用统一的 signed-by 路径
+    - name: Add HashiCorp APT repo via deb822 (clean, unified)
+      ansible.builtin.deb822_repository:
+        name: hashicorp
+        types: [deb]
+        uris: ["https://apt.releases.hashicorp.com"]
+        suites: ["{{ hashicorp_repo_suite | default(ansible_distribution_release) }}"]
+        components: ["main"]
+        signed_by: "/etc/apt/keyrings/hashicorp.gpg"
+        state: "{{ (enable_hashicorp_repo | default(true) | bool) | ternary('present', 'absent') }}"
+      become: true
+
+    #####################################################################
+    # 1) Base APT deps  (不在此处触发 update_cache，避免再次读到坏源)
+    #####################################################################
+    - name: Ensure base APT deps (no update now)
+      ansible.builtin.apt:
+        name:
+          - ca-certificates
+          - gnupg
+        state: present
+        update_cache: false
+      become: true
+
+    #####################################################################
+    # 2) Ubuntu universe（仅 Ubuntu，且可控开关）
+    #####################################################################
+    - name: Enable Ubuntu 'universe' component (Ubuntu only)
+      ansible.builtin.apt_repository:
+        repo: "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} main universe"
+        state: present
+        filename: "ubuntu-{{ ansible_distribution_release }}-universe"
+      when:
+        - ansible_facts.distribution == 'Ubuntu'
+        - enable_ubuntu_universe | default(true) | bool
+      become: true
+
+    #####################################################################
+    # 3) 现在再统一 update cache
+    #####################################################################
+    - name: Update apt cache after repo normalization
+      ansible.builtin.apt:
+        update_cache: true
+      become: true
+
+    #####################################################################
+    # 4) 安装包（仅当 enable_install_packages=true）
+    #####################################################################
+    - name: Install packages (guarded by enable_install_packages)
+      ansible.builtin.apt:
+        name: "{{ common_packages | default(['vault', 'auditd', 'uidmap', 'fuse-overlayfs']) }}"
+        state: present
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+        APT_LISTCHANGES_FRONTEND: none
+      when: enable_install_packages | bool
+      become: true
+
+  when: ansible_facts.os_family == 'Debian'
+  tags: [pkgs, baseline]
diff --git a/playbooks/roles/vhosts/common/tasks/main.yml b/playbooks/roles/vhosts/common/tasks/main.yml
index acf68fe..b99e4e7 100644
--- a/playbooks/roles/vhosts/common/tasks/main.yml
+++ b/playbooks/roles/vhosts/common/tasks/main.yml
@@ -14,8 +14,9 @@
   script: files/secure_ssh.sh
 
 - name: Install packages
-  script: files/install-packages.sh
-  when: (ansible_facts['distribution'] == "Ubuntu") or (ansible_facts['distribution'] == "Debian")
+  include_tasks: install_packages.yml
+  when: ansible_facts.os_family == 'Debian'
+  tags: [pkgs, baseline]
 
 #- name: Include GPU Configuration
 #  include_tasks: include_gpu.yaml