---
# Service Hardening and Unused Service Removal

- name: Stop and disable unused services
  service:
    name: "{{ item }}"
    state: stopped
    enabled: false
  loop: "{{ disable_unused_services }}"
  ignore_errors: true
  tags:
    - security
    - services
    - cleanup

- name: Remove unused service packages
  package:
    name: "{{ item }}"
    state: absent
  loop: "{{ disable_unused_services }}"
  ignore_errors: true
  tags:
    - security
    - services
    - packages

- name: Mask dangerous services
  systemd:
    name: "{{ item }}"
    masked: true
  loop:
    - rpcbind.service
    - rpcbind.socket
    - nfs-server.service
    - nfs-lock.service
    - nfs-idmap.service
  ignore_errors: true
  tags:
    - security
    - services
    - systemd

- name: Configure service security settings
  template:
    src: service-security.conf.j2
    dest: /etc/systemd/system/{{ item }}.service.d/security.conf
    owner: root
    group: root
    mode: '0644'
  loop:
    - nginx
    - php8.4-fpm
  notify: reload systemd
  tags:
    - security
    - services
    - systemd

- name: Create systemd security override directory
  file:
    path: "/etc/systemd/system/{{ item }}.service.d"
    state: directory
    owner: root
    group: root
    mode: '0755'
  loop:
    - nginx
    - php8.4-fpm
    - docker
  tags:
    - security
    - services
    - directories

- name: Harden Docker service (if installed)
  template:
    src: docker-security.conf.j2
    dest: /etc/systemd/system/docker.service.d/security.conf
    owner: root
    group: root
    mode: '0644'
  notify: reload systemd
  ignore_errors: true
  tags:
    - security
    - services
    - docker

- name: Configure service restart policies
  lineinfile:
    path: /etc/systemd/system/{{ item.service }}.service.d/restart.conf
    regexp: '^Restart='
    line: 'Restart={{ item.policy }}'
    create: true
  loop:
    - { service: "nginx", policy: "always" }
    - { service: "php8.4-fpm", policy: "always" }
    - { service: "fail2ban", policy: "always" }
  notify: reload systemd
  tags:
    - security
    - services
    - reliability

- name: Set service timeouts for security
  lineinfile:
    path: /etc/systemd/system/{{ item.service }}.service.d/timeout.conf
    regexp: '^TimeoutStopSec='
    line: 'TimeoutStopSec={{ item.timeout }}'
    create: true
  loop:
    - { service: "nginx", timeout: "30s" }
    - { service: "php8.4-fpm", timeout: "30s" }
    - { service: "docker", timeout: "60s" }
  notify: reload systemd
  tags:
    - security
    - services
    - timeouts

- name: Enable core security services
  service:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - ufw
    - fail2ban
    - auditd
    - unattended-upgrades
  tags:
    - security
    - services
    - enable

- name: Verify critical service status
  command: systemctl is-active {{ item }}
  register: service_status
  changed_when: false
  failed_when: service_status.rc != 0
  loop:
    - ssh
    - ufw
    - fail2ban
    - auditd
  tags:
    - security
    - services
    - verification