- name: Secure Debian VPS
  hosts: vipy
  vars_files:
    - ../infra_vars.yml
  become: true

  tasks:
    - name: Update and upgrade apt packages
      apt:
        update_cache: yes
        upgrade: full
        autoremove: yes

    - name: Create new user
      user:
        name: "{{ new_user }}"
        groups: sudo
        shell: /bin/bash
        state: present
        create_home: yes

    - name: Set up SSH directory for new user
      file:
        path: "/home/{{ new_user }}/.ssh"
        state: directory
        mode: "0700"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"

    - name: Copy current user's authorized_keys to new user
      copy:
        src: "{{ (ansible_user == 'root') | ternary('/root/.ssh/authorized_keys', '/home/' + ansible_user + '/.ssh/authorized_keys') }}"
        dest: "/home/{{ new_user }}/.ssh/authorized_keys"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"
        mode: "0600"
        remote_src: true

    - name: Allow new user to run sudo without password
      copy:
        dest: "/etc/sudoers.d/{{ new_user }}"
        content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
        owner: root
        group: root
        mode: "0440"

    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        backrefs: yes
      loop:
        - { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
        - {
            regexp: "^#?PasswordAuthentication .*",
            line: "PasswordAuthentication no",
          }

    - name: Ensure PasswordAuthentication is set to no in cloud-init config
      lineinfile:
        path: /etc/ssh/sshd_config.d/50-cloud-init.conf
        regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
        create: yes
        backup: yes

    - name: Restart SSH
      service:
        name: ssh
        state: restarted