---
- name: Ensure SSH password authentication is disabled
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#?PasswordAuthentication"
    line: "PasswordAuthentication no"
  notify: restart sshd

- name: Disable root SSH login
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#?PermitRootLogin"
    line: "PermitRootLogin no"
  notify: restart sshd

- name: Install and configure UFW
  ansible.builtin.apt:
    name: ufw
    state: present

- name: Set UFW default deny incoming
  community.general.ufw:
    direction: incoming
    default: deny

- name: Set UFW default allow outgoing
  community.general.ufw:
    direction: outgoing
    default: allow

- name: Allow SSH
  community.general.ufw:
    rule: allow
    port: "22"
    proto: tcp

- name: Allow k3s API server (servers only)
  community.general.ufw:
    rule: allow
    port: "6443"
    proto: tcp
  when: k3s_role == 'server'

- name: Allow k3s flannel VXLAN
  community.general.ufw:
    rule: allow
    port: "8472"
    proto: udp

- name: Allow kubelet metrics
  community.general.ufw:
    rule: allow
    port: "10250"
    proto: tcp

- name: Allow HTTP/HTTPS (for Traefik ingress)
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop:
    - "80"
    - "443"

- name: Enable UFW
  community.general.ufw:
    state: enabled

- name: Configure automatic security updates
  ansible.builtin.apt:
    name: unattended-upgrades
    state: present

- name: Enable automatic security updates
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";
    mode: "0644"