- name: remove snap and snapd
  apt:
    name:
      - snap
      - snapd
    state: absent
    purge: true

- name: clean apt cache
  apt:
    autoclean: true

- name: clear /etc/issue and /etc/motd
  copy:
    content: ""
    dest: "{{ item }}"
  loop:
    - /etc/issue
    - /etc/motd

- name: check if /etc/update-motd.d directory exists
  stat:
    path: /etc/update-motd.d
  register: motd_dir

- name: find files in /etc/update-motd.d
  find:
    paths: /etc/update-motd.d
    file_type: file
  register: motd_files
  when: motd_dir.stat.exists

- name: remove execute permissions from all files in /etc/update-motd.d
  file:
    path: "{{ item.path }}"
    mode: u-x,g-x,o-x
  loop: "{{ motd_files.files }}"
  when: motd_dir.stat.exists

- name: enforce root-only cron/at
  file:
    path: "{{ item }}"
    state: touch
    owner: root
    group: root
    mode: '0600'
  loop:
    - /etc/cron.allow
    - /etc/at.allow

- name: remove deny files for cron and at
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/cron.deny
    - /etc/at.deny

- name: backup sshd_config
  copy:
    src: /etc/ssh/sshd_config
    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
    remote_src: true

- name: harden sshd_config
  copy:
    dest: /etc/ssh/sshd_config
    content: |
      Port 22
      Banner /etc/issue
      UsePAM yes
      Protocol 2
      Subsystem sftp /usr/lib/openssh/sftp-server
      LogLevel verbose
      PrintMotd no
      AcceptEnv LANG LC_*
      MaxSessions 5
      StrictModes yes
      Compression no
      MaxAuthTries 3
      IgnoreRhosts yes
      PrintLastLog yes
      AddressFamily inet
      X11Forwarding no
      PermitRootLogin yes
      AllowTcpForwarding no
      ClientAliveInterval 1200
      AllowAgentForwarding no
      PermitEmptyPasswords no
      ClientAliveCountMax 0
      GSSAPIAuthentication no
      KerberosAuthentication no
      IgnoreUserKnownHosts yes
      PermitUserEnvironment no
      ChallengeResponseAuthentication no
      MACs hmac-sha2-512,hmac-sha2-256
      Ciphers aes128-ctr,aes192-ctr,aes256-ctr

- name: regenerate SSH host keys
  shell: |
    rm -f /etc/ssh/ssh_host_*key*
    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
  args:
    creates: /etc/ssh/ssh_host_ed25519_key

- name: restart ssh
  systemd:
    name: ssh
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'

- name: enable unattended-upgrades
  shell: dpkg-reconfigure --priority=low unattended-upgrades
  args:
    creates: /etc/apt/apt.conf.d/50unattended-upgrades

- name: restart unattended-upgrades
  systemd:
    name: unattended-upgrades
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'

- name: disable ipv6 in grub
  lineinfile:
    path: /etc/default/grub
    regexp: '^GRUB_CMDLINE_LINUX='
    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'

- name: update grub
  command: update-grub

- name: allow ssh port and enable ufw
  ufw:
    rule: allow
    port: 22
    proto: tcp

- name: enable ufw
  ufw:
    state: enabled
    policy: deny

- name: restart ufw
  systemd:
    name: ufw
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'

- name: deploy custom fail2ban jail.local
  template:
    src: templates/jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: '0644'

- name: restart fail2ban
  systemd:
    name: fail2ban
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'

- name: reload fail2ban
  command: fail2ban-client reload