---
- name: Sécurisation d'Ubuntu 22.04
  hosts: all
  become: true
  vars:
    ufw_allowed_ports:
      - 22   # SSH
      - 80   # HTTP
      - 443  # HTTPS
    ssh_port: 22
    ssh_permit_root_login: "no"
    ssh_password_auth: "no"
    fail2ban_enabled: true

  tasks:
    - name: Mise à jour de tous les paquets
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: yes

    - name: Installation des outils de sécurité de base
      apt:
        name:
          - ufw            # Pare-feu UFW
          - fail2ban       # Protection contre les tentatives de bruteforce
          - unattended-upgrades  # Mises à jour automatiques
        state: present

    - name: Configurer les mises à jour automatiques
      copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    - name: Activer et configurer UFW (Uncomplicated Firewall)
      ufw:
        rule: allow
        port: "{{ item }}"
      loop: "{{ ufw_allowed_ports }}"
      
    - name: Activer UFW
      ufw:
        state: enabled

    - name: Configurer Fail2Ban si activé
      block:
        - name: Activer le service Fail2Ban
          service:
            name: fail2ban
            state: started
            enabled: true
      when: fail2ban_enabled

    - name: Configurer SSH pour renforcer la sécurité
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^#?Port ', line: "Port {{ ssh_port }}" }
        - { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" }
        - { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" }

    - name: Redémarrer le service SSH
      service:
        name: ssh
        state: restarted

    - name: Désactiver les services inutiles
      service:
        name: "{{ item }}"
        state: stopped
        enabled: false
      loop:
        - cups        # Désactiver le service d'imprimante
        - avahi-daemon  # Désactiver le service de découverte réseau

    - name: Désactiver le ping ICMP (optionnel)
      sysctl:
        name: net.ipv4.icmp_echo_ignore_all
        value: 1
        sysctl_set: yes
        state: present
        reload: yes

    - name: Désactiver le transfert IPv4 et IPv6
      sysctl:
        name: "{{ item }}"
        value: 0
        sysctl_set: yes
        state: present
      loop:
        - net.ipv4.ip_forward
        - net.ipv6.conf.all.forwarding

    - name: Vérifier si les configurations de sécurité sont bien appliquées
      shell: ufw status && systemctl status fail2ban && sshd -T | grep -Ei 'permitrootlogin|passwordauthentication|port'
      register: security_check

    - debug:
        var: security_check.stdout