---
- name: Update apt cache
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 3600
  when: ansible_os_family == "Debian"

- name: Install base packages
  ansible.builtin.package:
    name:
      - ufw
      - fail2ban
      - unattended-upgrades
      - wireguard-tools
      - jq
      - curl
    state: present

- name: Configure SSH hardening
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  loop:
    - {regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no'}
    - {regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no'}
    - {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}
  notify: restart sshd

- name: Enable UFW with default deny
  community.general.ufw:
    state: enabled
    default: deny
    direction: incoming

- name: Allow SSH
  community.general.ufw:
    rule: allow
    port: "22"
    proto: tcp

- name: Allow WireGuard
  community.general.ufw:
    rule: allow
    port: "{{ kedge_wg_port }}"
    proto: udp

- name: Allow Kedge metrics
  community.general.ufw:
    rule: allow
    port: "{{ kedge_metrics_port }}"
    proto: tcp
    src: "10.0.0.0/8"

- name: Enable fail2ban
  ansible.builtin.service:
    name: fail2ban
    enabled: true
    state: started