---
- name: Refresh apt cache
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: "{{ debian_baseline_apt_cache_valid_time }}"

- name: Install baseline hardening packages
  ansible.builtin.apt:
    name: "{{ debian_baseline_packages }}"
    state: present

- name: Configure unattended-upgrades auto settings
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    mode: "0644"
    content: |
      APT::Periodic::Update-Package-Lists "{{ debian_baseline_unattended_update_lists }}";
      APT::Periodic::Unattended-Upgrade "{{ debian_baseline_unattended_auto_upgrade }}";
  when: debian_baseline_enable_unattended_upgrades | bool

- name: Configure SSH hardening options
  ansible.builtin.copy:
    dest: /etc/ssh/sshd_config.d/99-hardening.conf
    mode: "0644"
    content: |
      PermitRootLogin {{ debian_baseline_ssh_permit_root_login }}
      PasswordAuthentication {{ debian_baseline_ssh_password_authentication }}
      PubkeyAuthentication {{ debian_baseline_ssh_pubkey_authentication }}
      X11Forwarding {{ debian_baseline_ssh_x11_forwarding }}
      MaxAuthTries {{ debian_baseline_ssh_max_auth_tries }}
      ClientAliveInterval {{ debian_baseline_ssh_client_alive_interval }}
      ClientAliveCountMax {{ debian_baseline_ssh_client_alive_count_max }}
      {% if debian_baseline_ssh_allow_users | length > 0 %}
      AllowUsers {{ debian_baseline_ssh_allow_users | join(' ') }}
      {% endif %}
  notify: Restart ssh

- name: Configure baseline sysctls
  ansible.builtin.copy:
    dest: /etc/sysctl.d/99-hardening.conf
    mode: "0644"
    content: |
      {% for key, value in debian_baseline_sysctl_settings.items() %}
      {{ key }} = {{ value }}
      {% endfor %}
  notify: Reload sysctl

- name: Ensure fail2ban service is enabled
  ansible.builtin.service:
    name: fail2ban
    enabled: true
    state: started