---
-
    name: Update apt cache
    apt:
        update_cache: yes
        cache_valid_time: 0

-
    name: Install base packages
    apt:
        name: "{{ host_base_packages }}"
        state: present

-
    name: Disable SSH password authentication
    lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
    notify: restart sshd

-
    name: Disable SSH root login
    lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin no"
    notify: restart sshd

-
    name: Allow SSH through UFW
    community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp

-
    name: Allow additional UFW ports
    community.general.ufw:
        rule: allow
        port: "{{ item.port }}"
        proto: "{{ item.proto | default('tcp') }}"
        from_ip: "{{ item.from | default('any') }}"
    loop: "{{ ufw_allow | default([]) }}"

-
    name: Enable UFW with default deny
    community.general.ufw:
        state: enabled
        default: deny
        direction: incoming

-
    name: Configure fail2ban backend
    copy:
        dest: /etc/fail2ban/jail.local
        content: |
            [DEFAULT]
            backend = {{ fail2ban_backend }}
        owner: root
        group: root
        mode: "0644"

-
    name: Ensure fail2ban is running
    service:
        name: fail2ban
        state: restarted
        enabled: yes