---
- name: Ensure SSH server installed
  ansible.builtin.apt:
    name: openssh-server
    state: present

- name: Create safety copy of original SSH configuration
  ansible.builtin.copy:
    src: /etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config.original
    remote_src: true
    mode: '0600'
    force: false

- name: Configure SSH daemon
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    backup: true
    mode: '0644'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: Restart sshd

- name: Configure firewalls - allow SSH port
  community.general.ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp

- name: Configure firewalls - allow SSH by name (fallback)
  community.general.ufw:
    rule: allow
    name: OpenSSH
  failed_when: false

- name: Enable UFW with deny default policy
  community.general.ufw:
    state: enabled
    policy: deny