---
- name: Security-Pakete
  ansible.builtin.apt:
    name:
      - ufw
      - unattended-upgrades
      - apt-listchanges
    state: present

- name: SSH — Passwort-Login deaktivieren
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?\s*PasswordAuthentication\s'
    line: 'PasswordAuthentication no'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: SSH — Root-Login deaktivieren
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?\s*PermitRootLogin\s'
    line: 'PermitRootLogin no'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: UFW Default Policy (incoming deny)
  ansible.builtin.command: ufw default deny incoming
  register: ufw_default
  changed_when: "'Default incoming policy changed' in ufw_default.stdout"

- name: UFW — SSH erlauben
  ansible.builtin.command: ufw allow OpenSSH
  register: ufw_allow
  changed_when: "'Rule added' in ufw_allow.stdout or 'Rules updated' in ufw_allow.stdout"

- name: UFW aktivieren
  ansible.builtin.command: ufw --force enable
  register: ufw_enable
  changed_when: "'Firewall is active' in ufw_enable.stdout"

- name: unattended-upgrades konfigurieren
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    mode: '0644'
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";