---
# Role: common
# Basis-Hardening für alle INSIGHT-Server

- name: "System-Pakete aktualisieren"
  apt:
    update_cache: true
    upgrade: dist
    cache_valid_time: 3600

- name: "Basis-Pakete installieren"
  apt:
    name:
      - curl
      - wget
      - git
      - htop
      - vim
      - unzip
      - ca-certificates
      - gnupg
      - lsb-release
      - ufw
      - fail2ban
      - chrony
      - python3-pip
    state: present

- name: "Unattended-Upgrades installieren"
  apt:
    name: unattended-upgrades
    state: present

- name: "Unattended-Upgrades aktivieren"
  copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";

- name: "Zeitzone setzen"
  timezone:
    name: "{{ timezone }}"

- name: "Chrony (NTP) konfigurieren"
  template:
    src: chrony.conf.j2
    dest: /etc/chrony/chrony.conf
  notify: restart chrony

- name: "SSH Hardening — sshd_config"
  template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: "UFW — Standard: alles ablehnen"
  ufw:
    state: enabled
    policy: deny
    direction: incoming

- name: "UFW — SSH erlauben"
  ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp

- name: "Fail2ban aktivieren"
  service:
    name: fail2ban
    state: started
    enabled: true

handlers:
  - name: restart chrony
    service:
      name: chrony
      state: restarted

  - name: restart sshd
    service:
      name: sshd
      state: restarted