---
# Base Security Role - Main Tasks

- name: Include OS-specific variables
  include_vars: "{{ ansible_os_family }}.yml"
  tags:
    - security
    - config

- name: Update package cache
  package:
    update_cache: true
    cache_valid_time: 3600
  tags:
    - security
    - packages

- name: Install security packages
  package:
    name: "{{ security_packages }}"
    state: present
  tags:
    - security
    - packages

- name: Configure system security settings
  include_tasks: system-hardening.yml
  tags:
    - security
    - hardening

- name: Configure SSH security
  include_tasks: ssh-hardening.yml
  tags:
    - security
    - ssh

- name: Configure UFW firewall
  include_tasks: firewall.yml
  when: ufw_enabled | bool
  tags:
    - security
    - firewall

- name: Configure Fail2ban
  include_tasks: fail2ban.yml
  when: fail2ban_enabled | bool
  tags:
    - security
    - fail2ban

- name: Configure automatic security updates
  include_tasks: security-updates.yml
  when: unattended_upgrades_enabled | bool
  tags:
    - security
    - updates

- name: Disable unused services
  include_tasks: service-hardening.yml
  tags:
    - security
    - services

- name: Apply security audit recommendations
  include_tasks: security-audit.yml
  tags:
    - security
    - audit