---
- tags: [ debian-upgrade, never ]
  import_tasks: debian-upgrade.yaml
  when: ansible_facts['distribution_release'] != "bookworm"

- tags: debian_backports
  import_tasks: debian-backports.yaml

- tags: unattended_updates
  import_tasks: unattended-updates.yaml

- tags: apt-minimal
  import_tasks: apt-minimal.yaml

- tags: network
  import_tasks: network.yaml

- tags: node-exporter
  import_tasks: node-exporter.yaml

- name: Remove Vim
  apt:
    name: vim
    state: absent
    autoremove: true

- name: Install utilities
  apt:
    name:
      - curl
      - fzf
      - git
      - htop
      - iptables
      - iptables-persistent
      - jq
      - net-tools
      - netcat-openbsd
      - ripgrep
      - rsync
      - tree
      - neovim

- name: Remove netcat-traditional
  apt:
    name: netcat-traditional

- name: Configure FZF for Bash
  lineinfile:
    path: /etc/bash.bashrc
    insertafter: EOF
    regexp: "^source /usr/share/doc/fzf/examples/key-bindings.bash"
    line: "source /usr/share/doc/fzf/examples/key-bindings.bash # Managed by Ansible"

- name: Configure FZF for Bash (Bookworm)
  lineinfile:
    path: /etc/bash.bashrc
    insertafter: EOF
    regexp: "^source /usr/share/doc/fzf/examples/completion.bash"
    state: absent

- name: Shorten Grub timeout
  lineinfile:
    path: /etc/default/grub
    regexp: '^GRUB_TIMEOUT='
    line: "GRUB_TIMEOUT=1 # Managed by Ansible"
  notify: update grub

- name: Configure cron email
  lineinfile:
    path: /etc/crontab
    insertafter: '^PATH'
    line: 'MAILTO={{ notify_email }}'

- name: Turn off SSH password auth
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PasswordAuthentication'
    line: 'PasswordAuthentication no'
  notify: reload sshd

- name: Configure SSH port
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?Port'
    line: 'Port {{ ssh_port }}'
  notify: reload sshd

- name: Allow SSH
  iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "{{ ssh_port }}"
    ctstate: NEW
    jump: ACCEPT
    ip_version: "{{ item }}"
  with_items:
    - ipv4
    - ipv6
  notify: persist iptables

- name: Allow ICMP
  iptables:
    chain: INPUT
    protocol: "{{ item.proto }}"
    jump: ACCEPT
    ip_version: "{{ item.ip }}"
  with_items:
    - { ip: ipv4, proto: icmp }
    - { ip: ipv6, proto: ipv6-icmp }
  notify: persist iptables

- name: Allow related and established connections
  iptables:
    chain: INPUT
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT
    ip_version: "{{ item }}"
  with_items:
    - ipv4
    - ipv6
  notify: persist iptables

- name: Allow local connections
  iptables:
    chain: INPUT
    source: "{{ item.cidr }}"
    jump: ACCEPT
    ip_version: "{{ item.v }}"
  with_items: "{{ trusted_ranges }}"
  notify: persist iptables

- name: Deny inbound connections
  iptables:
    chain: INPUT
    policy: DROP
    ip_version: "{{ item }}"
  with_items:
    - ipv4
    - ipv6
  notify: persist iptables