---

- name: Create wheel group
  ansible.builtin.group:
    name: wheel
    state: present
    system: yes

- name: Create local administrator
  ansible.builtin.user:
    state: present
    name: localadmin
    uid: 1000
    groups:
      - wheel
    create_home: yes
    # Salt the password with the inventory name, this should be static between runs
    password: '{{ admin_password|password_hash("sha512", "thisisabadsalt") }}'

- name: Load Arch tasks
  import_tasks: arch.yml
  when: ansible_os_family | lower == "archlinux"

- name: Load Debian tasks
  import_tasks: debian.yml
  when: ansible_os_family | lower == "debian"

- name: Allow SSH
  # Default for SSH is to allow from LAN, WLAN, and VPN
  loop: "{{ ssh_allowlist|default(['10.242.0.0/23', '10.242.3.0/24']) }}"
  community.general.ufw:
    rule: allow
    name: SSH
    from: "{{ item }}"

- name: Start UFW
  community.general.ufw:
    state: enabled

- name: Allow wheel to use sudo
  ansible.builtin.copy:
    src: admin.conf
    dest: /etc/sudoers.d/00-administrators
    validate: /usr/sbin/visudo -cf %s
    mode: "0440"
    owner: root
    group: root

- name: Configure SSH server
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0644"
  notify: Restart SSH