---
- name: install common packages
  apt: name={{item}} state=latest
  with_items:
    - ufw
    - openssl
    - ca-certificates
    - curl
    - wget
    - jq
    - rsync

- name: firewall - allow ssh
  ufw: rule=allow port=22 proto=tcp

- name: firewall - enforce rules and deny by default
  ufw: state=enabled policy=deny

- name: forward root email
  lineinfile: "dest=/etc/aliases regexp='root:' line='root: infra@odersky.com'"

- name: unattended upgrades - install
  apt: name={{item}} state=latest
  with_items:
    - unattended-upgrades
    - apt-listchanges

- name: unattended upgrades - configure email
  lineinfile:
    dest=/etc/apt/apt.conf.d/50unattended-upgrades
    regexp='//Unattended-Upgrade::Mail "root";'
    line='Unattended-Upgrade::Mail "root";'
    backrefs=yes

- name: unattended upgrades - enable
  copy:
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    dest: /etc/apt/apt.conf.d/20auto-upgrades