---
- name: Harden Enterprise Infrastructure Nodes
  hosts: all
  become: true
  gather_facts: true
  vars_files:
    - vars/vault.yml

  pre_tasks:
    - name: Validate hardening prerequisites
      ansible.builtin.assert:
        that:
          - ansible_os_family == "Debian"
          - cis_level in [1, 2]
        fail_msg: "Invalid hardening configuration"

    - name: Display hardening information
      ansible.builtin.debug:
        msg: |
          Hardening {{ inventory_hostname }}
          CIS Level: {{ cis_level }}
          Disable Root Login: {{ disable_root_login }}

  roles:
    - role: hardening
      tags: ['hardening', 'security']

  post_tasks:
    - name: Display hardening summary
      ansible.builtin.debug:
        msg: |
          Hardening completed successfully!
          Host: {{ inventory_hostname }}

      when: ansible_os_family == "Debian"

    - name: Configure auditd
      when: auditd_enabled
      block:
        - name: Install auditd
          ansible.builtin.apt:
            name: auditd
            state: present
          when: ansible_os_family == "Debian"

        - name: Configure audit rules
          ansible.builtin.template:
            src: templates/audit.rules.j2
            dest: /etc/audit/rules.d/hardening.rules
            mode: '0644'

        - name: Enable auditd service
          ansible.builtin.service:
            name: auditd
            state: started
            enabled: true

    - name: Configure AppArmor
      when: apparmor_enabled and ansible_os_family == "Debian"
      block:
        - name: Install apparmor
          ansible.builtin.apt:
            name: apparmor
            state: present
          when: ansible_os_family == "Debian"

        - name: Enable apparmor service
          ansible.builtin.service:
            name: apparmor
            state: started
            enabled: true

    - name: Configure sysctl hardening
      ansible.posix.sysctl:
        name: "{{ item.key }}"
        value: "{{ item.value }}"
        state: present
        reload: true
      loop:
        - { key: 'net.ipv4.ip_forward', value: '0' }
        - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
        - { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
        - { key: 'net.ipv4.tcp_syncookies', value: '1' }
        - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }

    - name: Set secure file permissions
      ansible.builtin.file:
        path: "{{ item }}"
        mode: '0644'
        owner: root
        group: root
      loop:
        - /etc/passwd
        - /etc/group
        - /etc/shadow
        - /etc/gshadow

    - name: Lock inactive user accounts
      ansible.builtin.command: usermod -L "{{ item }}"
      loop: "{{ inactive_users | default([]) }}"
      changed_when: false

    - name: Configure password policies
      community.general.pam_limits:
        domain: '*'
        limit_type: hard
        limit_item: nofile
        value: 1024

    - name: Generate hardening report
      ansible.builtin.template:
        src: templates/hardening_report.j2
        dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
        mode: '0644'

  handlers:
    - name: restart sshd
      ansible.builtin.service:
        name: ssh
        state: restarted

    - name: restart auditd
      ansible.builtin.service:
        name: auditd
        state: restarted
      when: auditd_enabled