---
# Main Site Playbook - Complete Server Hardening + User Management + WireGuard VPN + Firewall

- name: Secure VPN Server Deployment
  hosts: vpn_servers
  become: yes
  gather_facts: yes

  pre_tasks:
    - name: Display deployment information
      ansible.builtin.debug:
        msg:
          - "Deploying secure VPN server to: {{ inventory_hostname }}"
          - "IP Address: {{ ansible_default_ipv4.address }}"
          - "OS: {{ ansible_distribution }} {{ ansible_distribution_version }}"
          - "VPN Network: {{ wg_network | default('10.100.0.0/24') }}"

    - name: Verify Ubuntu 24.04
      ansible.builtin.assert:
        that:
          - ansible_distribution == "Ubuntu"
          - ansible_distribution_version is version('22.04', '>=')
        fail_msg: "This playbook requires Ubuntu 22.04 or newer"
        success_msg: "OS version check passed"

  roles:
    - role: system_hardening
      tags: ['hardening', 'security', 'cis']
    
    - role: ssh_users
      tags: ['users', 'ssh', 'security']
      when: admin_users is defined and admin_users | length > 0
    
    - role: wireguard_server
      tags: ['wireguard', 'vpn']
    
    - role: secure_firewall
      tags: ['firewall', 'security']

  post_tasks:
    - name: Display deployment summary
      ansible.builtin.debug:
        msg:
          - "========================================="
          - "Deployment Complete!"
          - "========================================="
          - ""
          - "Server: {{ inventory_hostname }}"
          - "Public IP: {{ ansible_default_ipv4.address }}"
          - "VPN Network: {{ wg_network }}"
          - "Admin Users: {{ admin_users | map(attribute='username') | list | join(', ') if admin_users is defined else 'none' }}"
          - ""
          - "Client configs: /root/wireguard-client-configs/"
          - "{% if admin_users is defined and admin_users | length > 0 %}SSH keys: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{% endif %}"
          - "Firewall config: /root/firewall-config.txt"
          - ""
          - "Next steps:"
          - "1. Download client configs from server"
          - "{% if admin_users is defined and admin_users | length > 0 %}2. Test SSH with new admin users{% endif %}"
          - "3. Distribute VPN configs to users"
          - "4. Test VPN connection"
          - "5. Verify firewall rules"
          - ""
          - "========================================="

    - name: Save deployment summary
      ansible.builtin.copy:
        dest: /root/deployment-summary.txt
        content: |
          Secure VPN Server Deployment Summary
          =====================================
          
          Deployment Date: {{ ansible_date_time.iso8601 }}
          Server: {{ inventory_hostname }}
          Public IP: {{ ansible_default_ipv4.address }}
          
          Components Deployed:
          - System Hardening (CIS Level 1 compliant)
          - SSH User Management
          - WireGuard VPN Server
          - Secure Firewall (Management access restricted)
          
          Admin Users:
          {% if admin_users is defined %}
          {% for user in admin_users %}
          - {{ user.username }} ({{ user.comment | default('') }})
          {% endfor %}
          {% else %}
          - None created (using root)
          {% endif %}
          
          VPN Configuration:
          - Network: {{ wg_network }}
          - Server IP: {{ wg_server_ip }}
          - Port: {{ wg_port }}
          - Users: {{ wg_peers | length }}
          
          Security Features (CIS Compliant):
          - SSH hardened (key-only, strong ciphers)
          - Root SSH login disabled
          - Password policies enforced
          - AppArmor enabled and enforcing
          - Comprehensive audit logging
          - Automatic security updates enabled
          - Fail2ban active
          - Uncommon network protocols disabled
          - Core dumps restricted
          - Management ports restricted to authorized sources
          
          Client Configurations:
          VPN: /root/wireguard-client-configs/
          {% if admin_users is defined and admin_users | length > 0 %}
          SSH Keys (on control node): {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/
          {% endif %}
          
          {% for peer in wg_peers %}
          - {{ peer.name }}: {{ peer.ip }}
          {% endfor %}
          
          Important Files:
          - VPN client configs: /root/wireguard-client-configs/
          - Firewall config: /root/firewall-config.txt
          - WireGuard keys: /etc/wireguard/keys/
          - Sudo log: /var/log/sudo.log
          - Audit logs: /var/log/audit/audit.log
          
          Next Steps:
          1. Download VPN configs: scp root@{{ ansible_default_ipv4.address }}:/root/wireguard-client-configs/* ./
          {% if admin_users is defined and admin_users | length > 0 %}
          2. Test SSH with admin users (root SSH will be disabled)
          3. Verify sudo access works for admin users
          {% endif %}
          4. Distribute VPN configs to users
          5. Test VPN connection
          6. Monitor logs: journalctl -u wg-quick@wg0
          7. Review audit logs: ausearch -ts recent
        mode: '0600'