---
- name: Update apt cache
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: 3600

- name: Install base packages
  ansible.builtin.apt:
    name: "{{ base_packages }}"
    state: present

- name: Harden SSH configuration
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0644"
    validate: "sshd -t -f %s"
  notify: restart sshd

- name: Enable UFW
  community.general.ufw:
    state: enabled
    policy: deny
    direction: incoming

- name: Allow SSH through UFW
  community.general.ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp

- name: Allow role-specific ports through UFW
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop: "{{ allowed_ports | default([]) }}"

- name: Configure fail2ban SSH jail
  ansible.builtin.copy:
    dest: /etc/fail2ban/jail.local
    content: |
      [sshd]
      enabled = true
      port = {{ ssh_port }}
      maxretry = 5
      bantime = 3600
      findtime = 600
    owner: root
    group: root
    mode: "0644"
  notify: restart fail2ban

- name: Enable and start fail2ban
  ansible.builtin.systemd:
    name: fail2ban
    enabled: yes
    state: started

- name: Configure unattended-upgrades
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    owner: root
    group: root
    mode: "0644"