---
# Playbook de base : applique sur TOUTES les VMs
# - Mise a jour systeme
# - Creation user admin Elewyn
# - Hardening SSH
# - Installation qemu-guest-agent (integration Proxmox)
# - Paquets utilitaires

- name: Configuration de base des VMs
  hosts: all
  become: true

  tasks:
    # -- Mise a jour systeme --
    - name: Mise a jour des paquets
      ansible.builtin.dnf:
        name: "*"
        state: latest
        update_cache: true
      tags: [update]

    # -- Installation paquets de base --
    - name: Installation des paquets utilitaires
      ansible.builtin.dnf:
        name:
          - qemu-guest-agent
          - vim
          - curl
          - wget
          - tar
          - nfs-utils
          - bash-completion
          - python3
        state: present
      tags: [packages]

    - name: Activation qemu-guest-agent
      ansible.builtin.systemd:
        name: qemu-guest-agent
        state: started
        enabled: true
      tags: [packages]

    # -- Creation utilisateur Elewyn --
    - name: Creation du groupe {{ admin_user }}
      ansible.builtin.group:
        name: "{{ admin_user }}"
        state: present
      tags: [users]

    - name: Creation de l'utilisateur {{ admin_user }}
      ansible.builtin.user:
        name: "{{ admin_user }}"
        group: "{{ admin_user }}"
        groups: wheel
        shell: /bin/bash
        create_home: true
        password: "{{ vault_admin_password | password_hash('sha512') }}"
        state: present
      tags: [users]

    - name: Cle SSH pour {{ admin_user }}
      ansible.posix.authorized_key:
        user: "{{ admin_user }}"
        key: "{{ lookup('file', '~/.ssh/homelab.pub') }}"
        state: present
      tags: [users]

    # wheel peut sudo sans mot de passe (deja par defaut sur Rocky, on s'assure)
    - name: Sudo sans mot de passe pour wheel
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/wheel-nopasswd
        line: "%wheel ALL=(ALL) NOPASSWD: ALL"
        create: true
        mode: "0440"
        validate: "visudo -cf %s"
      tags: [users]

    # -- Hardening SSH --
    - name: Desactiver l'authentification par mot de passe SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
      notify: restart sshd
      tags: [ssh]

    - name: Desactiver le login root SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin no"
      notify: restart sshd
      tags: [ssh]

    # -- Firewalld --
    - name: Installation firewalld
      ansible.builtin.dnf:
        name: firewalld
        state: present
      tags: [firewall]

    - name: Activer firewalld
      ansible.builtin.systemd:
        name: firewalld
        state: started
        enabled: true
      tags: [firewall]

  handlers:
    - name: restart sshd
      ansible.builtin.systemd:
        name: sshd
        state: restarted