---
- name: Validate hardening requirements
  ansible.builtin.assert:
    that:
      - ansible_os_family == "Debian"
      - cis_level in [1, 2]
    fail_msg: "Unsupported configuration for hardening"

- name: Apply CIS hardening tasks
  ansible.builtin.include_tasks: cis_hardening.yml
  when: cis_level >= 1

- name: Configure SSH hardening
  block:
    - name: Disable root SSH login
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present
      when: disable_root_login
      notify: restart sshd

    - name: Disable password authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present
      when: secure_ssh_config
      notify: restart sshd

    - name: Set MaxAuthTries
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^MaxAuthTries'
        line: "MaxAuthTries {{ ssh_max_auth_tries }}"
        state: present
      notify: restart sshd

    - name: Disable empty passwords
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitEmptyPasswords'
        line: 'PermitEmptyPasswords no'
        state: present
      notify: restart sshd

    - name: Set ClientAliveInterval
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^ClientAliveInterval'
        line: "ClientAliveInterval {{ ssh_client_alive_interval }}"
        state: present
      notify: restart sshd

    - name: Set ClientAliveCountMax
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^ClientAliveCountMax'
        line: "ClientAliveCountMax {{ ssh_client_alive_count_max }}"
        state: present
      notify: restart sshd

- name: Configure firewall rules
  block:
    - name: Enable firewall
      community.general.ufw:
        state: enabled
        policy: "{{ firewall_policy }}"
      when: firewall_policy is defined

    - name: Allow SSH from trusted networks
      community.general.ufw:
        rule: allow
        port: '22'
        proto: tcp
        from: "{{ item }}"
      loop: "{{ ssh_allowed_networks }}"

- name: Disable unnecessary services
  ansible.builtin.service:
    name: "{{ item }}"
    state: stopped
    enabled: false
  loop: "{{ unnecessary_services }}"
  failed_when: false

- name: Remove unnecessary packages
  ansible.builtin.apt:
    name: "{{ item }}"
    state: absent
    purge: true
  loop: "{{ unnecessary_packages }}"
  failed_when: false