---
- name: Bootstrap Ubuntu server
  hosts: all
  become: true

  pre_tasks:
    - name: Ensure apt cache is up to date
      apt:
        update_cache: true
        cache_valid_time: 3600

  tasks:
    - name: Set timezone
      timezone:
        name: "{{ timezone }}"

    - name: Create admin user
      user:
        name: "{{ admin_user }}"
        groups: sudo
        shell: "{{ admin_shell }}"
        append: true
        create_home: true

    - name: Authorize SSH key for admin user
      authorized_key:
        user: "{{ admin_user }}"
        key: "{{ admin_ssh_key }}"

    - name: Disable root SSH login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
      notify: restart ssh

    - name: Disable password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
      notify: restart ssh

    - name: Install base packages
      apt:
        name:
          - ca-certificates
          - curl
          - git
          - tmux
          - neovim
          - ripgrep
          - fd-find
          - zsh
          - ufw
          - fail2ban
          - rclone
          - bat
          - lsb-release
          - rsync
        state: present

    - name: Enable UFW
      ufw:
        state: enabled
        policy: deny

    - name: Allow SSH
      ufw:
        rule: allow
        port: 22
        proto: tcp

    - name: Enable fail2ban
      systemd:
        name: fail2ban
        enabled: true
        state: started

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted

  roles:
    - role: docker