- name: Update hostname to match Ansible inventory
  hostname:
    name: "{{ ansible_host }}"
  tags:
    - role::common

- name: Update /etc/hosts to match Ansible inventory
  template:
    src: etc-hosts.j2
    dest: /etc/hosts
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Configure SSH daemon options
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # Logins
      PasswordAuthentication no
      PermitRootLogin no

      # Forwarding
      AllowAgentForwarding no
      X11Forwarding no

      # Connection keepalive
      ClientAliveInterval 300
      ClientAliveCountMax 3
    dest: /etc/ssh/sshd_config.d/hardening.conf
    owner: root
    group: root
    mode: "0444"
  notify:
    - Reload ssh (Debian)
    - Reload sshd (Rocky)
  tags:
    - role::common

- name: Configure default security limits
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # <domain>  <type>  <item>  <value>
      *           soft    nproc   100
      *           hard    nproc   200
    dest: /etc/security/limits.d/pydis.conf
    owner: root
    group: root
    mode: "0444"
  when: ansible_distribution == "Debian"
  tags:
    - role::common

- name: Set timezone to UTC
  file:
    src: /usr/share/zoneinfo/Etc/UTC
    dest: /etc/localtime
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart systemd-timesyncd
  tags:
    - role::common

- name: Create sudoers lecture
  template:
    src: sudo_lecture.j2
    dest: /etc/sudo_lecture
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Configure sudo
  template:
    src: sudoers.j2
    dest: /etc/sudoers.d/pydis
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s
  tags:
    - role::common

- name: Configure MOTD
  template:
    src: motd.j2
    dest: /etc/motd
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Enable default .bashrc for root
  copy:
    src: /etc/skel/.bashrc
    dest: /root/.bashrc
    remote_src: true
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Install EPEL Release repository & system administration tools
  package:
    name:
      - epel-release
      - htop
    state: present
  tags:
    - role::common
  when: ansible_distribution == "Rocky"

- name: Install IPA client on Debian systems
  package:
    name:
      - freeipa-client
    state: present
  tags:
    - role::common
  when: ansible_distribution == "Debian"

- name: Install system administration tools
  package:
    name:
      - tmux
      - vim
      - fortune-mod
      - cowsay
    state: present
  tags:
    - role::common

- name: Install larger system administration tools (Debian)
  apt:
    name: emacs-nox
    install_recommends: false
    state: present
  when: ansible_distribution == "Debian"
  tags:
    - role::common

- name: Install larger system administration tools (Rocky)
  package:
    name: emacs-nox
    state: present
  when: ansible_distribution == "Rocky"
  tags:
    - role::common