---
- name: "Basic debian bookworm server setup"
  hosts: all
  become: true

  tasks:
    - name: "Update Apt cache"
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600 # 1 Hour

    - name: "Update everything"
      ansible.builtin.apt:
       name: "*"
       state: latest        

    - name: "Install basic applications"
      ansible.builtin.apt:
        state: present
        name:
          - "apt-transport-https"
          - "ca-certificates"
          - "sysstat"
          - "htop"
          - "vim"
          - "tmux"
          - "net-tools"
          - "curl"
          - "wget"
          - "git"
          - "tcpdump"
          - "dnsutils"
          - "iputils-ping"
          - "ripgrep"

    - name: "Install ufw"
      ansible.builtin.apt:
        state: present
        name:
          - "ufw"
      when: ufw_status == "enabled"

    - name: "Make sure ntpd is not installed"
      ansible.builtin.apt:
        state: absent
        name:
          - ntp

    - name: "Enable and start systemd-timesyncd"
      ansible.builtin.systemd:
        state: started
        enabled: true
        name: systemd-timesyncd

    - name: "Ensure adminmz account is present"
      ansible.builtin.user:
        state: present
        name: adminmz
        groups:
          - "sudo"

    - name: "Set adminmz ssh key"
      ansible.posix.authorized_key:
        user: adminmz
        state: present
        key: https://git.mziesel.nl/mans.keys

    - name: "Add ssh allow rule in ufw"
      community.general.ufw:
        rule: allow
        to_port: "{{ ssh_port }}"
        protocol: tcp
      when: ufw_status == "enabled"

    - name: "Enable ufw"
      community.general.ufw:
        state: enabled
      when: ufw_status == "enabled"