---
# roles/common_secure/tasks/main.yml

- name: Upgrade system packages
  ansible.builtin.apt:
    update_cache: true
    upgrade: full
  when: common_full_upgrade

- name: Install UFW Firewall
  ansible.builtin.apt:
    name: ufw
    # update_cache: true
    state: present
  when: common_firewall_enable

- name: Enable UFW
  community.general.ufw:
    state: enabled
    logging: 'on'
  when: common_firewall_enable

- name: Disable UFW Firewall
  ansible.builtin.apt:
    name: ufw
    state: absent
  when: not common_firewall_enable

- name: Reject incoming connections by default
  community.general.ufw:
    policy: reject
    comment: 'Reject all by default'
  when: common_firewall_reject and common_firewall_enable

- name: Allow SSH Connections
  community.general.ufw:
    rule: limit
    port: ssh
    proto: tcp
    comment: 'Allow SSH'
  when: common_firewall_ssh and common_firewall_enable

- name: Allow HTTPS Connections
  community.general.ufw:
    rule: allow
    port: https
    proto: tcp
    comment: 'Allow HTTPS'
  when: common_firewall_https and common_firewall_enable

- name: Allow HTTP Connections
  community.general.ufw:
    rule: allow
    port: http
    proto: tcp
    comment: 'Allow HTTP'
  when: common_firewall_http and common_firewall_enable

- name: Install sudo
  ansible.builtin.apt:
    pkg: sudo
    update_cache: true
    state: present

- name: Configure SSH to disallow passwords
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ ssh_config_entry.regexp }}"
    line: "{{ ssh_config_entry.line }}"
    state: present
  loop:
    - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
  loop_control:
    loop_var: ssh_config_entry
  notify: restart ssh
  when: common_ssh_configure

- name: Add authorized ssh keys for root
  ansible.posix.authorized_key:
    user: root
    state: present
    key: "{{ lookup('file', ssh_key_file) }}"
  loop: "{{ query('fileglob', '../files/*') }}"
  loop_control:
    loop_var: ssh_key_file

- name: Lock the root account
  ansible.builtin.user:
    name: root
    password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"

# - name: Configure SSH to disallow root login
#   ansible.builtin.lineinfile:
#     path: /etc/ssh/sshd_config
#     regexp: '^PermitRootLogin'
#     line: 'PermitRootLogin no'
#     state: present
#   notify: restart ssh
#   when: common_ssh_configure

# - name: Disable root shell
#   ansible.builtin.user:
#     name: root
#     shell: /usr/sbin/nologin
#   when: common_disable_root