---
- name: Remove legacy network packages
  ansible.builtin.apt:
    name: "{{ cis_legacy_packages }}"
    state: absent
    purge: false
  when: cis_remove_legacy_packages | bool

- name: Build enabled hardening package list
  ansible.builtin.set_fact:
    cis_enabled_hardening_packages: >-
      {{
        ['sudo']
        + (['chrony'] if cis_enable_chrony | bool else [])
        + (['rsyslog'] if cis_enable_rsyslog | bool else [])
      }}

- name: Install baseline hardening packages
  ansible.builtin.apt:
    name: "{{ cis_enabled_hardening_packages }}"
    state: present
    update_cache: true
    cache_valid_time: 3600

- name: Install auditd when enabled
  ansible.builtin.apt:
    name: auditd
    state: present
    update_cache: true
    cache_valid_time: 3600
  when: cis_install_auditd | bool

- name: Install audispd plugins when available
  ansible.builtin.apt:
    name: audispd-plugins
    state: present
    update_cache: true
    cache_valid_time: 3600
  register: cis_audispd_plugins_install
  failed_when: false
  when: cis_install_auditd | bool

- name: Report audispd plugins availability
  ansible.builtin.debug:
    msg: "WARNING: audispd-plugins was not installed; package may be unavailable for this release."
  when:
    - cis_install_auditd | bool
    - cis_audispd_plugins_install is failed