---
- name: Install base packages
  apt:
    name:
      - htop
      - curl
      - wget
      - unzip
      - xclip
    state: present
    update_cache: yes

- name: Install admin tools
  apt:
    name:
      - net-tools
      - ufw
      - fail2ban
      - mailutils
    state: present

- name: Install monitoring tools
  apt:
    name:
      - iotop
      - nethogs
      - logwatch
    state: present

- name: Configure fail2ban
  template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    mode: '0644'
  notify: restart fail2ban

# UFW enablement moved to ssh role to avoid lockout

- name: Set timezone
  timezone:
    name: "{{ timezone | default('UTC') }}"

- name: Configure locale
  locale_gen:
    name: "{{ locale | default('en_US.UTF-8') }}"
    state: present