---

- name: Apt upgrade, update
  ansible.builtin.apt:
    update_cache: true
    upgrade: "dist"

- name: Set a hostname specifying strategy
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
    use: systemd

- name: Install dependencies
  ansible.builtin.apt:
    name:
      - apt-transport-https
      - ca-certificates
      - curl
      - gnupg-agent
      - software-properties-common
      - systemd-timesyncd
      - systemd-resolved
      - vim
      - git
      - rsync
    state: latest
    update_cache: true
  notify:
    - Enable systemd-timesyncd

## DNS
- name: Configure systemd-resolved
  ansible.builtin.include_tasks:
    file: "systemd-resolved.yml"

## SSH
- name: Copy sshd_config
  ansible.builtin.copy:
    src: files/sshd_config
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify:
    - Restart sshd

- name: Copy authorized keys
  ansible.builtin.copy:
    src: files/authorized_keys
    dest: /root/.ssh/authorized_keys
    owner: root
    group: root

## FAIL2BAN
- name: Install Fail2Ban
  ansible.builtin.apt:
    name: fail2ban
    state: present
  notify:
    - Enable fail2ban

## FIREWALL
- name: Install ufw
  ansible.builtin.apt:
    name: ufw
    state: present

- name: Allow ssh from rfc1918 networks
  loop: "{{ rfc1918_networks }}"
  community.general.ufw:
    rule: allow
    name: "OpenSSH"
    from: "{{ item }}"
    state: "enabled"
  notify:
    - Reload ufw