---
# Security hardening tasks

- name: Apply sysctl settings
  ansible.posix.sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    sysctl_set: true
    state: present
    reload: true
  loop: "{{ common_sysctl_settings | dict2items }}"

- name: Install UFW (Debian/Ubuntu)
  ansible.builtin.apt:
    name: ufw
    state: present
  when:
    - ansible_os_family == "Debian"
    - common_firewall_enabled

- name: Configure UFW defaults
  community.general.ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  loop:
    - { direction: 'incoming', policy: 'deny' }
    - { direction: 'outgoing', policy: 'allow' }
  when:
    - ansible_os_family == "Debian"
    - common_firewall_enabled

- name: Allow firewall ports (UFW)
  community.general.ufw:
    rule: allow
    port: "{{ item.split('/')[0] }}"
    proto: "{{ item.split('/')[1] | default('tcp') }}"
  loop: "{{ common_firewall_allowed_ports }}"
  when:
    - ansible_os_family == "Debian"
    - common_firewall_enabled

- name: Enable UFW
  community.general.ufw:
    state: enabled
  when:
    - ansible_os_family == "Debian"
    - common_firewall_enabled

- name: Install automatic security updates (Debian/Ubuntu)
  ansible.builtin.apt:
    name: unattended-upgrades
    state: present
  when:
    - ansible_os_family == "Debian"
    - common_auto_updates_enabled

- name: Enable automatic security updates (Debian/Ubuntu)
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    mode: '0644'
  when:
    - ansible_os_family == "Debian"
    - common_auto_updates_enabled