- hosts: new
  vars:
    ansible_host_key_checking: false ##If you get an error about hosts not trusted
  become_user: root
  become: yes
  tasks:
    - name: Update apt repo and cache on all Debian/Ubuntu boxes
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

    - name: Upgrade all packages on servers
      apt: upgrade=dist force_apt_get=yes

    - name: Check if a reboot is needed on all servers
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no

    - name: Reboot the box if kernel updated
      reboot:
        msg: "Reboot initiated by Ansible for kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists

    - name: Add the user 'joachim' with a specific uid and a primary group of 'admin'
      ansible.builtin.user:
        name: joachim
        shell: /bin/bash
        comment: Joachim Hummel
        createhome: yes
        uid: 1000
        group: sudo


    - name: Add the user 'sysadmin' with a specific uid and a primary group of 'admin'
      ansible.builtin.user:
        name: sysadmin42
        shell: /bin/bash
        comment: Ansible Sysadmin42 
        createhome: yes
        uid: 1010
        group: sudo

    - name: Set authorized key for remote user joachim
      ansible.posix.authorized_key:
        user: joachim 
        state: present
        key: "{{ lookup('url', 'https://git.homeabc.de/jhummel/ansible-semaphore/raw/branch/master/keys/id_rsa.joachim', split_lines=False) }}" 

    - name: Set authorized key for remote user sysadmin42
      ansible.posix.authorized_key:
        user: sysadmin42
        state: present
        key: "{{ lookup('url', 'https://git.homeabc.de/jhummel/ansible-semaphore/raw/branch/master/keys/id_rsa.semphore', split_lines=False) }}" 

    - name: Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'

    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - vim
          - git
          - ufw
          - fail2ban
          - apache2
        state: latest
        update_cache: true

    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: allow
        name: OpenSSH


    - name: UFW - Allow HTTP connections
      community.general.ufw:
        rule: allow
        port: 80
        proto: tcp

    - name: UFW - Allow HTTPS connections
      community.general.ufw:
        rule: allow
        port: 443
        proto: tcp

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny