---
- name: Disable SELinux
  ansible.posix.selinux:
    state: disabled
  register: selinux_status

- name: Reboot if SELinux changed
  ansible.builtin.reboot:
  when: selinux_status.changed

- name: Configure SSH Hardening
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  loop:
    - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
    - { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
    - { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
    - { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
  notify: Restart sshd

- name: Install dnf-automatic
  ansible.builtin.dnf:
    name: dnf-automatic
    state: present

- name: Enable dnf-automatic timer
  ansible.builtin.systemd:
    name: dnf-automatic.timer
    state: started
    enabled: yes

- name: Configure fail2ban jail
  ansible.builtin.template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
  notify: Restart fail2ban

- name: Ensure firewalld is running
  ansible.builtin.service:
    name: firewalld
    state: started
    enabled: yes

- name: Configure firewalld default zone
  ansible.builtin.shell: firewall-cmd --set-default-zone=drop
  when: ansible_facts.services['firewalld.service'].state == 'running'
  changed_when: false

- name: Configure journald log limits
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  loop:
    - { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
    - { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
  notify: Restart journald

- name: Allow SSH in firewalld from admin CIDRs
  ansible.posix.firewalld:
    service: ssh
    source: "{{ item }}"
    state: enabled
    permanent: yes
    immediate: yes
  loop: "{{ admin_allowed_cidrs.split(' ') }}"