---
# Main tasks for common role - base system setup and hardening

- name: Ensure systemd-resolved config directory exists
  file:
    path: /etc/systemd/resolved.conf.d
    state: directory
    mode: '0755'
  tags: [dns]

- name: Configure DNS (systemd-resolved)
  copy:
    dest: /etc/systemd/resolved.conf.d/dns_servers.conf
    content: |
      [Resolve]
      DNS=8.8.8.8 8.8.4.4
      FallbackDNS=1.1.1.1 1.0.0.1
    mode: '0644'
  notify: Restart systemd-resolved
  tags: [dns]

- name: Flush handlers (apply DNS config immediately)
  meta: flush_handlers
  tags: [dns]

- name: Update apt cache
  apt:
    update_cache: yes
    cache_valid_time: 3600

- name: Install common packages
  apt:
    name: "{{ common_packages }}"
    state: present

- name: Set timezone
  community.general.timezone:
    name: "{{ common_timezone }}"

- name: Configure SSH hardening
  include_tasks: ssh.yml

- name: Configure UFW firewall
  include_tasks: firewall.yml

- name: Configure automatic updates
  include_tasks: updates.yml
  when: common_unattended_upgrades

- name: Configure fail2ban
  include_tasks: fail2ban.yml
  when: common_fail2ban_enabled