ansible/roles/base/tasks/main.yml

---
- name: Update apt cache (shared baseline)
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: "{{ apt_cache_valid_time | default(3600) }}"
  when: ansible_os_family == "Debian"

- name: Ensure Ansible remote_tmp directory exists with correct permissions
  ansible.builtin.file:
    path: /root/.ansible/tmp
    state: directory
    mode: '0755'
    owner: root
    group: root
  become: true

- name: Install base system packages
  ansible.builtin.apt:
    name:
      # Base utilities
      - curl
      - wget
      - unzip
      - xclip
      - tree
      # Network and admin tools
      - net-tools
      - ufw
      - mailutils
      # Modern CLI tools
      - jq
      - ripgrep
      - fd-find
    state: present

- name: Install yq YAML processor
  ansible.builtin.apt:
    name: yq
    state: present
    update_cache: false
  failed_when: false
  register: yq_apt_install

- name: Install yq from binary if apt fails
  when: yq_apt_install.failed or yq_apt_install is not succeeded
  block:
    - name: Download yq binary
      ansible.builtin.get_url:
        url: https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
        dest: /usr/local/bin/yq
        mode: '0755'
      register: yq_download

    - name: Verify yq installation
      ansible.builtin.command: yq --version
      changed_when: false

- name: Create fd symlink (Ubuntu uses fd-find)
  ansible.builtin.file:
    src: /usr/bin/fdfind
    dest: /usr/local/bin/fd
    state: link
  when: ansible_distribution == "Ubuntu"

# fail2ban configuration moved to monitoring role

# UFW enablement moved to ssh role to avoid lockout

- name: Set timezone
  community.general.timezone:
    name: "{{ timezone | default('UTC') }}"

- name: Configure locale
  community.general.locale_gen:
    name: "{{ locale | default('en_US.UTF-8') }}"
    state: present