---
- name: Lock down root & SSH on the server
  hosts: UpskillChallengeNode
  gather_facts: no

  tasks:
  - name: Disable root login over ssh
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^PermitRootLogin'
      line: 'PermitRootLogin no'

  - name: Disable all users' password login
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^PasswordAuthentication'
      line: 'PasswordAuthentication no'

  - name: Change SSH port
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#?Port '
      line: 'Port 22022'

  - name: update and upgrade packages
    ansible.builtin.apt:
      update_cache: yes
      upgrade: yes

  - name: install fail2ban
    ansible.builtin.apt:
      package: fail2ban
      state: present

  - name: restart ssh
    service:
      name: ssh
      state: restarted