- name: Update hostname to match Ansible inventory
  hostname:
    name: "{{ inventory_hostname }}"
  tags:
    - role::common

- name: Update /etc/hosts to match Ansible inventory
  template:
    src: etc-hosts.j2
    dest: /etc/hosts
    mode: '0644'
    owner: root
    group: root
  tags:
    - role::common

- name: Configure SSH daemon options
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # Logins
      PasswordAuthentication no
      PermitRootLogin no

      # Forwarding
      AllowAgentForwarding no
      X11Forwarding no

      # Connection keepalive
      ClientAliveInterval 300
      ClientAliveCountMax 3
    dest: /etc/ssh/sshd_config.d/hardening.conf
    owner: root
    group: root
    mode: "0444"
  notify:
    - Reload ssh
  tags:
    - role::common

- name: Configure default security limits
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # <domain>  <type>  <item>  <value>
      *           soft    nproc   100
      *           hard    nproc   200
    dest: /etc/security/limits.d/pydis.conf
    owner: root
    group: root
    mode: "0444"
  tags:
    - role::common

- name: Set timezone to UTC
  file:
    src: /usr/share/zoneinfo/Etc/UTC
    dest: /etc/localtime
    mode: '0644'
    owner: root
    group: root
  notify:
    - Restart systemd-timesyncd
  tags:
    - role::common

- name: Create sudoers lecture
  template:
    src: sudo_lecture.j2
    dest: /etc/sudo_lecture
    mode: '0644'
    owner: root
    group: root
  tags:
    - role::common

- name: Configure sudo
  template:
    src: sudoers.j2
    dest: /etc/sudoers.d/pydis
    owner: root
    group: root
    mode: '0440'
    validate: /usr/sbin/visudo -cf %s
  tags:
    - role::common

- name: Configure MOTD
  template:
    src: motd.j2
    dest: /etc/motd
    mode: '0644'
    owner: root
    group: root
  tags:
    - role::common

- name: Enable default .bashrc for root
  copy:
    src: /etc/skel/.bashrc
    dest: /root/.bashrc
    remote_src: true
    mode: '0644'
    owner: root
    group: root
  tags:
    - role::common