---
- name: Debian-based server setup
  hosts: new-debian-servers
  gather_facts: true
  become: true
  vars:
    created_username: ""
    debian_stable_version: "bullseye"

  tasks:
    - name: Disable APT translations
      ansible.builtin.lineinfile:
        path: /etc/apt/apt.conf.d/99translations
        state: present
        create: true
        line: 'Acquire::Languages "none";'

    - name: Update packages
      ansible.builtin.apt:
        name: "*"
        state: latest
        update_cache: true

    - name: Update OS
      ansible.builtin.apt:
        upgrade: dist
        update_cache: true

    - name: Reboot the machine (Wait for 5 minutes)
      tags: [reboot]
      ansible.builtin.reboot:
        reboot_timeout: 300

    - name: Create a new user
      ansible.builtin.user:
        name: "{{ created_username }}"
        state: present
        create_home: true

    - name: Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_ed25519.pub') }}"

    - name: Setup passwordless sudo for {{ created_username }}
      ansible.builtin.lineinfile:
        path: "/etc/sudoers.d/{{ created_username }}"
        state: present
        create: true
        line: "{{ created_username }} ALL=(ALL) NOPASSWD: ALL"
        validate: "/usr/sbin/visudo -cf %s"

    - name: Disable password authentication for root
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin prohibit-password"

    - name: Disable password authentication for other users
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"

    - name: Enable pub key authentication for all users
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "^#?PubkeyAuthentication"
        line: "PubkeyAuthentication yes"

    - name: Install essential packages
      ansible.builtin.apt:
        pkg:
          - git
          - git-core
          - build-essential
          - vim
          - firewalld
          - apt-listchanges
          - unattended-upgrades
          - atop
          - bat
          - exa
          - fail2ban
          - fd-find
          - htop
          - lynis
          - mailutils
          - ncdu
          - nethogs
          - ripgrep
          - tldr
          - tuptime

    - name: Setup unattended-upgrades
      ansible.builtin.lineinfile:
        path: /etc/apt/apt.conf.d/50unattended-upgrades
        state: present
        regexp: "^#?//Unattended-Upgrade::Mail "
        line: 'Unattended-Upgrade::Mail "{{ created_username }}";'

    - name: Enable and start systemd services
      ansible.builtin.systemd:
        name: "{{ item }}"
        state: started
        enabled: true
      with_items:
        - atop.service
        - atop-rotate.timer
        - apt-daily.timer
        - fail2ban.service
        - firewalld.service
        - tuptime.service

    - name: Setup Tailscale repository
      tags: [tailscale]
      block:
        - name: tailscale gpg
          ansible.builtin.get_url:
            url: "https://pkgs.tailscale.com/stable/debian/{{ debian_stable_version }}.noarmor.gpg"
            dest: /usr/share/keyrings/tailscale-archive-keyring.gpg

        - name: tailscale.list
          ansible.builtin.apt_repository:
            repo: "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian {{ debian_stable_version }} main"
            state: present