---
- name: Run platform safety prechecks
  ansible.builtin.import_tasks: precheck.yml
  tags:
    - always
    - precheck

- name: Manage packages
  ansible.builtin.import_tasks: packages.yml
  tags:
    - packages

- name: Harden SSH daemon configuration
  ansible.builtin.import_tasks: ssh.yml
  tags:
    - ssh

- name: Apply kernel network hardening
  ansible.builtin.import_tasks: sysctl.yml
  when: cis_enable_sysctl_hardening | bool
  tags:
    - sysctl

- name: Manage baseline services
  ansible.builtin.import_tasks: services.yml
  tags:
    - services

- name: Configure Linux audit controls
  ansible.builtin.import_tasks: audit.yml
  when: cis_install_auditd | bool
  tags:
    - audit

- name: Configure sudo controls
  ansible.builtin.import_tasks: sudo.yml
  tags:
    - sudo

- name: Configure logging controls
  ansible.builtin.import_tasks: logging.yml
  tags:
    - logging

- name: Review filesystem mount options
  ansible.builtin.import_tasks: filesystem.yml
  tags:
    - filesystem

- name: Run validation postchecks
  ansible.builtin.import_tasks: postcheck.yml
  tags:
    - always
    - postcheck