diff --git a/playbooks/system-maintenance.yml b/playbooks/system-maintenance.yml
new file mode 100644
index 0000000..39460c8
--- /dev/null
+++ b/playbooks/system-maintenance.yml
@@ -0,0 +1,123 @@
+---
+- name: System Maintenance with Admin Setup (Idempotent & Secure)
+  hosts: all
+  become: true
+
+  vars:
+    # ==== Customizable Variables ====
+    admin_user: "admin"
+    admin_group: "sysadmin"
+    admin_password: "$6$Z1rC2h...EncryptedPassword..."  # ganti dengan hasil `mkpasswd --method=SHA-512`
+    ssh_key_path: "/home/{{ admin_user }}/.ssh/id_rsa"
+    health_report_path: "/var/log/system_health_report.txt"
+    cron_log_path: "/var/log/cron.log"
+    default_service: "cron"
+
+  tasks:
+    # ==== PACKAGE MAINTENANCE ====
+    - name: Update package repositories
+      apt:
+        update_cache: yes
+      register: update_result
+      changed_when: update_result.cache_updated
+      tags: update
+
+    - name: Upgrade security packages (dist-upgrade)
+      apt:
+        upgrade: dist
+      tags: upgrade
+
+    # ==== CLEANUP ====
+    - name: Clean all contents of /tmp directory
+      shell: "rm -rf /tmp/* || true"
+      tags: cleanup
+
+    - name: Ensure /tmp directory exists with correct permissions
+      file:
+        path: /tmp
+        state: directory
+        owner: root
+        group: root
+        mode: '1777'
+      tags: cleanup
+
+    # ==== SERVICE MAINTENANCE ====
+    - name: "Restart specific service (default: cron)"
+      service:
+        name: "{{ default_service }}"
+        state: restarted
+      tags: restart
+
+    # ==== ADMIN USER MANAGEMENT ====
+    - name: Ensure admin group exists
+      group:
+        name: "{{ admin_group }}"
+        state: present
+      tags: admin
+
+    - name: Ensure admin user exists
+      user:
+        name: "{{ admin_user }}"
+        group: "{{ admin_group }}"
+        password: "{{ admin_password }}"
+        shell: /bin/bash
+        create_home: yes
+        state: present
+      tags: admin
+
+    - name: Grant sudo privileges to admin user (NOPASSWD)
+      copy:
+        dest: "/etc/sudoers.d/{{ admin_user }}"
+        content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
+        mode: '0440'
+        owner: root
+        group: root
+      tags: admin
+
+    - name: Ensure .ssh directory exists for admin
+      file:
+       path: "/home/{{ admin_user }}/.ssh"
+       state: directory
+       owner: "{{ admin_user }}"
+       group: "{{ admin_group }}"
+       mode: '0700'
+      tags: admin
+
+    - name: Generate SSH key pair (idempotent)
+      openssh_keypair:
+       path: "{{ ssh_key_path }}"
+       owner: "{{ admin_user }}"
+       group: "{{ admin_group }}"
+       mode: '0600'
+       type: rsa
+       size: 2048
+      tags: admin
+
+    # ==== SYSTEM REPORTING ====
+    - name: Generate system health report
+      shell: |
+        echo "===== SYSTEM HEALTH REPORT =====" > {{ health_report_path }}
+        echo -e "\n--- TOP ---" >> {{ health_report_path }}
+        top -b -n1 | head -n 20 >> {{ health_report_path }}
+        echo -e "\n--- DISK USAGE ---" >> {{ health_report_path }}
+        df -h >> {{ health_report_path }}
+        echo -e "\n--- MEMORY ---" >> {{ health_report_path }}
+        free -h >> {{ health_report_path }}
+      args:
+        executable: /bin/bash
+      tags: report
+
+    # ==== LOGGING CONFIGURATION ====
+    - name: Enable cron logging (if not already)
+      lineinfile:
+        path: /etc/rsyslog.d/50-default.conf
+        regexp: '^#?cron.\*'
+        line: 'cron.*                         {{ cron_log_path }}'
+      notify: Restart rsyslog
+      tags: logging
+
+  handlers:
+    - name: Restart rsyslog
+      service:
+        name: rsyslog
+        state: restarted