---
- name: Ensure Ansible remote_tmp directory exists with correct permissions
  ansible.builtin.file:
    path: /root/.ansible/tmp
    state: directory
    mode: '0755'
    owner: root
    group: root
  become: true

- name: Install base system packages
  ansible.builtin.apt:
    name:
      # Base utilities
      - curl
      - wget
      - unzip
      - xclip
      - tree
      # Network and admin tools
      - net-tools
      - ufw
      - mailutils
      # Modern CLI tools
      - jq
      - ripgrep
      - fd-find
      # Power management (TLP for laptops)
      - tlp
      - tlp-rdw
    state: present

- name: Install yq YAML processor
  ansible.builtin.apt:
    name: yq
    state: present
    update_cache: false
  failed_when: false
  register: yq_apt_install

- name: Install yq from binary if apt fails
  when: yq_apt_install.failed or yq_apt_install is not succeeded
  block:
    - name: Download yq binary
      ansible.builtin.get_url:
        url: https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
        dest: /usr/local/bin/yq
        mode: '0755'
      register: yq_download

    - name: Verify yq installation
      ansible.builtin.command: yq --version
      changed_when: false

- name: Create fd symlink (Ubuntu uses fd-find)
  ansible.builtin.file:
    src: /usr/bin/fdfind
    dest: /usr/local/bin/fd
    state: link
  when: ansible_distribution == "Ubuntu"

# fail2ban configuration moved to monitoring role

# UFW enablement moved to ssh role to avoid lockout

- name: Set timezone
  community.general.timezone:
    name: "{{ timezone | default('UTC') }}"

- name: Configure locale
  community.general.locale_gen:
    name: "{{ locale | default('en_US.UTF-8') }}"
    state: present

- name: Enable and start TLP service
  ansible.builtin.systemd:
    name: tlp
    enabled: true
    state: started
    daemon_reload: true
  become: true
  when: "'tlp' in ansible_facts.packages"