---

# set hostname
- name: Set a hostname specifying strategy
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
    use: systemd

# docker
- name: install dependencies
  apt:
    name:
      - apt-transport-https
      - ca-certificates
      - curl
      - gnupg-agent
      - software-properties-common
      - sudo
      - systemd-timesyncd
    state: latest
    update_cache: yes

- name: Update and upgrade apt packages
  become: true
  apt:
    upgrade: yes
    update_cache: yes
    cache_valid_time: 86400 #One day

- name: enable systemd-timesyncd
  ansible.builtin.systemd_service: 
    name: systemd-timesyncd 
    state: restarted 
    enabled: true 
    daemon_reload: true

- name: purge ntp
  apt:
    name:
      - ntp
    state: absent

- name: docker GPG key
  apt_key:
    url: https://download.docker.com/linux/debian/gpg
    state: present

- name: repository docker
  apt_repository:
    repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
    state: present 

- name: install docker
  apt:
    name:
      - docker-ce
      - docker-ce-cli
      - containerd.io
    state: latest
    update_cache: yes

- name: enable docker
  ansible.builtin.systemd_service: 
    name: docker 
    state: restarted 
    enabled: true 
    daemon_reload: true

- name: copy docker-compose@.service
  copy:
    src: ../files/docker-compose@.service
    dest: /etc/systemd/system/docker-compose@.service
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: ensure /etc/docker/compose exist
  file:
    path: /etc/docker/compose
    state: directory
    owner: root
    group: root
    mode: 0700

# SSH
- name: Copy sshd_config
  copy:
    src: ../files/sshd_config
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart sshd
  service: name=sshd state=restarted enabled=yes

# FIREWALL
- name: install UFW
  apt: name=ufw state=latest

- name: allow ssh from everywhere and enable
  ufw:
    rule: allow
    name: OpenSSH
    state: enabled

- name: restart ufw
  service: name=ufw state=restarted enabled=yes

# FAIL2BAN
- name: install fail2ban
  apt: name=fail2ban state=latest

- name: Copy jail.conf
  copy:
    src: ../files/jail.conf
    dest: /etc/fail2ban/jail.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart fail2ban
  service: name=fail2ban state=restarted enabled=yes