---
- name: Load OS-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - "vars/{{ ansible_facts['os_family'] }}.yml"
    - "vars/debian.yml"

- name: Install OpenSSH
  ansible.builtin.package:
    name: "{{ ssh_package_name }}"
    state: present

- name: Install UFW
  ansible.builtin.package:
    name: ufw
    state: present

- name: Enable SSH
  ansible.builtin.service:
    name: "{{ ssh_service_name }}"
    enabled: true

- name: Allow local network incoming connection
  community.general.ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp
    from: "{{ ssh_allowed_network }}"
    direction: in
    comment: "SSH from local network"

- name: Allow SSH VPN incoming connection
  community.general.ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp
    from: "{{ ssh_allowed_vpn_network }}"
    direction: in
    comment: "SSH from VPN network"

# TODO
# - name: Add SSH public key to authorized_keys
#   authorized_key:
#     user: "{{ item }}"
#     state: present
#     key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
#     comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
#   loop: "{{ ssh_users.split() }}"

- name: Authorized keys fallback (when home cannot be mounted)
  when: ssh_authorized_keys_fallback_enabled
  block:
    - name: Create the directory
      ansible.builtin.file:
        path: "{{ ssh_authorized_keys_fallback_dir }}"
        state: directory
        owner: root
        group: root
        mode: "0755"

    - name: Backup authorized_keys out of HOME dir (if unavailable at startup)
      ansible.builtin.command: "cp /home/{{ item }}/.ssh/authorized_keys {{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
      loop: "{{ ssh_users.split() }}"
      changed_when: false

    - name: Fix ownership
      ansible.builtin.file:
        path: "{{ ssh_authorized_keys_fallback_dir }}/{{ item }}"
        owner: "{{ item }}"
        group: "{{ item }}"
        mode: "0600"
      loop: "{{ ssh_users.split() }}"

- name: Create an SSH banner
  ansible.builtin.template:
    src: templates/sshd_banner.j2
    dest: "{{ sshd_banner }}"
    owner: root
    group: root
    mode: "0644"

- name: Remove motd on Debian
  ansible.builtin.file:
    path: /etc/motd
    state: absent
  when: ansible_facts['os_family'] == 'Debian'

- name: Hardening sshd_config
  ansible.builtin.template:
    src: templates/sshd_config.j2
    dest: "{{ sshd_config }}"
    owner: root
    group: root
    mode: "0600"
    validate: "{{ sshd_binary }} -t -f %s"
  notify: Restart SSH service

- name: Enable UFW
  community.general.ufw:
    state: enabled

- name: Enable UFW service at startup
  ansible.builtin.systemd:
    name: ufw
    enabled: true
    state: started

- name: Start and enable fail2ban
  ansible.builtin.service:
    name: fail2ban
    state: started
    enabled: true