---
# Generic Host Bootstrap Playbook
#
# This playbook sets up a user and hardens SSH on target hosts.
# Designed to be built with ansible-bundler.
#
# Usage:
#   ansible-playbook bootstrap.yml -i inventory -e @vars.yml
#
# Or with bundled version:
#   ./bootstrap.run -e user_name=operator -e user_pubkey="ssh-ed25519 AAAA..."
#
# Required variables:
#   - user_name: Username to create
#   - One of: user_pubkey, user_pubkey_file, user_pubkey_url
#
# Optional variables (see roles/users/defaults/main.yml for full list):
#   - user_password: Password for the user
#   - user_sudo_enabled: Enable sudo (default: true)
#   - user_sudo_nopasswd: Passwordless sudo (default: true)
#   - ssh_server_ports: SSH port(s) (default: ["22"])
#   - ssh_permit_root_login: Allow root login (default: "no")
#

- name: Bootstrap and harden host
  hosts: all
  gather_facts: yes

  vars:
    # User defaults (override via -e or vars file)
    user_name: "operator"

    # SSH hardening defaults - secure by default
    ssh_permit_root_login: "no"
    ssh_server_password_login: false
    ssh_client_password_login: false
    ssh_allow_tcp_forwarding: "no"
    ssh_allow_agent_forwarding: false
    ssh_x11_forwarding: false
    ssh_permit_tunnel: "no"
    ssh_use_pam: true
    ssh_print_motd: false
    ssh_print_last_log: false
    ssh_max_auth_retries: 2
    ssh_client_alive_interval: 300
    ssh_client_alive_count: 3

    # Include sshd_config.d for distro-specific configs
    sshd_custom_options:
      - "Include /etc/ssh/sshd_config.d/*"

    # Restrict SSH to created user (set to empty string to allow all users)
    # ssh_allow_users: "{{ user_name }}"

  pre_tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: yes
        cache_valid_time: 3600
      become: yes
      when: ansible_os_family == "Debian"

    - name: Ensure sudo is installed
      ansible.builtin.package:
        name: sudo
        state: present
      become: yes

  roles:
    - role: users
      become: yes

    - role: ssh_hardening
      become: yes

  post_tasks:
    - name: Display connection info
      ansible.builtin.debug:
        msg: |
          Host bootstrap complete!

          User '{{ user_name }}' has been created with SSH key authentication.
          SSH has been hardened with the following settings:
            - Root login: {{ ssh_permit_root_login }}
            - Password authentication: {{ ssh_server_password_login }}
            - Port(s): {{ ssh_server_ports | default(['22']) | join(', ') }}

          To connect: ssh {{ user_name }}@{{ ansible_host | default(inventory_hostname) }}