#################################################
# DO Community Playbooks: Initial Server Setup
#################################################
---
- hosts: all
  become: true
  vars_files:
    - vars/default.yml

  tasks:
#    - name: Install Prerequisites
#      apt: name=aptitude update_cache=yes state=latest force_apt_get=yes

 #Sudo Group Setup
    - name: Make sure we have a 'wheel' group
      group:
        name: "{{ create_user }}"
        state: present

#    - name: Allow 'wheel' group to have passwordless sudo
#      lineinfile:
#        path: /etc/sudoers
#        state: present
#        regexp: '^%wheel'
#        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
#        validate: '/usr/sbin/visudo -cf %s'

# User + Key Setup
    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ create_user }}"
        state: present
        groups: "{{ create_user }}"
        append: true
        create_home: true
        shell: /bin/bash

    - name: Set authorized key for remote user
      authorized_key:
        user: "{{ create_user }}"
        state: present
        key: "{{ copy_local_key }}"

#    - name: Disable password authentication for root
#      lineinfile:
#        path: /etc/ssh/sshd_config
#        state: present
#        regexp: '^#?PermitRootLogin'
#        line: 'PermitRootLogin prohibit-password'

# Install Packages
    - name: Update apt
      apt: update_cache=yes

#    - name: Install required system packages
#      apt: name={{ sys_packages }} state=latest
      
#    - name: Upgrade installed apt packages 
#      apt:
#        upgrade: dist
#      register: upgrade
#      retries: 15
#      delay: 5
#      until: upgrade is success

      
    - name: Ensure that these software packages are installed
      apt:
        pkg:
          - build-essential
#          - fail2ban
#          - needrestart
#          - pwgen
#          - resolvconf
#          - unbound
          - unzip
        state: latest
        
    - name: Set ssh '{{ ssh_port }}' port number
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: 'Port '
        line: 'Port {{ ssh_port }}'
        state: present
      notify:
        - restart sshd

        
    - name: Allow ssh port '{{ ssh_port }}'.
      ufw:
        rule: allow
        proto: tcp
        port: '{{ ssh_port }}'
        state: enabled
        
      
    - name: set timezone
      timezone:
        name: "{{ tmzone }}"
      
# UFW Setup
    - name: UFW - Allow SSH connections
      ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Deny all other incoming traffic by default
      ufw:
        state: enabled
        policy: deny
        direction: incoming

        
  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted
        debug:
         msg: "Restarting sshd"        
#      when: reboot_required.stat.exists == false