---
- name: install basic packages
  yum:
    name: "{{ packages }}"
  vars:
    packages:
    - langpacks-en 
    - langpacks-de 
    - glibc-all-langpacks
    - sysstat
    - mailx
    - bind-utils
    - epel-release
    - setroubleshoot-server
    - telnet
    - git
    - yum-utils

- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing

- name: disable kdump
  systemd:
    name: kdump
    enabled: no

- name: allow root SSH with key only
  lineinfile: dest=/etc/ssh/sshd_config
              regexp="^PermitRootLogin"
              line="PermitRootLogin without-password"
              state=present
  notify: Restart ssh

- name: create /etc/hosts from template
  template:
    src: hosts.j2
    dest: /etc/hosts
    owner: root
    group: root
    backup: yes
    mode: '0644'

- name: install fail2ban
  yum:
    name: fail2ban

- name: enable fail2ban
  systemd:
    name: fail2ban
    enabled: yes

- name: copy fail2ban config
  copy:
    src: jail.local
    dest: /etc/fail2ban/jail.local
    mode: '0644'
  notify: Restart fail2ban

- name: setup firewalld rules - services
  firewalld:
    service: "{{ item }}"
    permanent: yes
    state: enabled
    immediate: yes
  loop:
    - ssh
    - http
    - https
    - smtp
    - smtps
    - imap
    - imaps
    - pop3
    - pop3s
    - managesieve
  notify: reload firewalld

- name: setup firewalld rules - remove services
  firewalld:
    service: "{{ item }}"
    permanent: yes
    state: disabled
  loop:
    - cockpit
  notify: reload firewalld

- name: setup firewalld rules - ports
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
  loop:
    - 10050/tcp
  notify: reload firewalld

- name: Create ~/.forward
  copy:
    content: 'joerg.lehmann@nbit.ch'
    dest: "/root/.forward"
    owner: root
    group: root
    mode: '0644'