---
- name: Provision Enterprise Infrastructure Nodes
  hosts: all
  become: true
  gather_facts: true
  vars:
    node_timezone: "UTC"
    admin_user: "infra-admin"
    ssh_port: 22
    packages:
      - curl
      - wget
      - vim
      - htop
      - net-tools
      - iptables
      - fail2ban
      - unattended-upgrades

  tasks:
    - name: Update package cache
      apt:
        update_cache: yes
        cache_valid_time: 3600
      when: ansible_os_family == "Debian"

    - name: Install base packages
      apt:
        name: "{{ packages }}"
        state: present
      when: ansible_os_family == "Debian"

    - name: Create admin user
      user:
        name: "{{ admin_user }}"
        groups: sudo
        append: yes
        create_home: yes
        shell: /bin/bash
        password: "{{ 'infra-admin-password' | password_hash('sha512') }}"

    - name: Configure timezone
      timezone:
        name: "{{ node_timezone }}"

    - name: Configure SSH
      block:
        - name: Disable root SSH login
          lineinfile:
            path: /etc/ssh/sshd_config
            regexp: '^PermitRootLogin'
            line: 'PermitRootLogin no'

        - name: Set SSH port
          lineinfile:
            path: /etc/ssh/sshd_config
            regexp: '^Port'
            line: "Port {{ ssh_port }}"

        - name: Disable password authentication
          lineinfile:
            path: /etc/ssh/sshd_config
            regexp: '^PasswordAuthentication'
            line: 'PasswordAuthentication no'

    - name: Restart SSH service
      service:
        name: sshd
        state: restarted

    - name: Configure firewall
      ufw:
        state: enabled
        policy: deny
        rules:
          - rule: allow
            port: "{{ ssh_port }}"
            proto: tcp
          - rule: allow
            port: '80'
            proto: tcp
          - rule: allow
            port: '443'
            proto: tcp

    - name: Configure fail2ban
      template:
        src: templates/jail.local.j2
        dest: /etc/fail2ban/jail.local
      notify: restart fail2ban

    - name: Enable unattended upgrades
      lineinfile:
        path: /etc/apt/apt.conf.d/20auto-upgrades
        regexp: '^APT::Periodic::Unattended-Upgrade'
        line: 'APT::Periodic::Unattended-Upgrade "1";'
      when: ansible_os_family == "Debian"

    - name: Create application directories
      file:
        path: "{{ item }}"
        state: directory
        owner: "{{ admin_user }}"
        group: "{{ admin_user }}"
        mode: '0755'
      loop:
        - /opt/application
        - /var/log/application
        - /etc/application

    - name: Deploy monitoring agent
      include_role:
        name: monitoring_agent
      when: "'monitoring' in group_names"

    - name: Deploy web server
      include_role:
        name: nginx
      when: "'webservers' in group_names"

    - name: Deploy database server
      include_role:
        name: postgresql
      when: "'databases' in group_names"

    - name: Deploy load balancer
      include_role:
        name: haproxy
      when: "'loadbalancers' in group_names"

    - name: Generate provisioning report
      template:
        src: templates/provisioning_report.j2
        dest: /var/log/provisioning_report_{{ ansible_date_time.iso8601 }}.log
      delegate_to: localhost

  handlers:
    - name: restart fail2ban
      service:
        name: fail2ban
        state: restarted

  post_tasks:
    - name: Verify services
      service:
        name: "{{ item }}"
        state: started
        enabled: yes
      loop: "{{ services_to_verify | default([]) }}"
      ignore_errors: true

    - name: Run health checks
      uri:
        url: http://localhost/health
        method: GET
      register: health_check
      ignore_errors: true
      when: "'webservers' in group_names"