---
- name: Baseline host configuration
  hosts: all:!proxmox
  become: true
  gather_facts: true

  tasks:
    - name: Ensure common packages are installed (Debian/Ubuntu)
      ansible.builtin.apt:
        name: "{{ common_packages }}"
        state: present
        update_cache: true
      when: ansible_os_family == "Debian"

    - name: Configure timezone
      community.general.timezone:
        name: "{{ timezone }}"

    - name: Ensure unattended-upgrades is installed
      ansible.builtin.apt:
        name: unattended-upgrades
        state: present
        update_cache: true
      when: ansible_os_family == "Debian"

    - name: Ensure fail2ban is installed
      ansible.builtin.apt:
        name: fail2ban
        state: present
        update_cache: true
      when: ansible_os_family == "Debian"

    - name: Ensure UFW is installed
      ansible.builtin.apt:
        name: ufw
        state: present
        update_cache: true
      when: ansible_os_family == "Debian"

    - name: Ensure UFW allows SSH
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp
      when: ansible_os_family == "Debian"

    - name: Ensure UFW is enabled
      community.general.ufw:
        state: enabled
      when: ansible_os_family == "Debian"