- name: Sécurisation serveur Linux SRV
  hosts: SRV
  become: true
  tasks:

   - name: (1) Création de l'utilisateur sioadm avec son shell
     user:
       name: sioadm
       password: "{{ 'sioadm' | password_hash('sha512')}}"
       shell: /bin/bash

   - name: (2) Ajout de l'utilisateur au groupe sudo
     user:
       name: sioadm
       groups: sudo

   - name: (3) Ajout de la clé publique SSH pour l'utilisateur sioadm
     authorized_key:
       user: sioadm
       key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8ifEQg+3/x/bGrEhhDdhgbudHIxLqbYX3n7jZRCoKKAP7CUXxdq6WSSFiz3e0/UU/ppxzn335WC5MA47KjlbQ7PQVZz+uN6J+emUzFR+5zhBUJTz1gEBzrpCeBqjTXXZD4OoNRHCvlBXVfkP6TE1/iR4NIn7sl7Xwpn9ne1HoRjELz2sC0SdXzO0PIzr1Z8s/h3cZ8Pce10widOkBC3ZyioXHQwC3MXhoVD5NFEzRzjL8x2PJg6YNvI5LJMz6J53hI0hCzniiFLPYeTb/bUGhkubkfaa3QZTXzhhuZ/Wpaiacmpv5zlvyGo97LF2C20Z7vyixa9ocXPlC9WRPhEYROx/JDRPh2/hzHRe705t8buFu1hZMqdASjySpS5g+FQ7whIucGypxEUoRsyyrUpElciL685EjZVzY6seEGK5BIe4Za1Ti0vpVhW1eT5XRF8YcgRz9GJAMlgjJMZeqJzSa53GRY0NJMRMVszVPhVD79o9Aj6SUTbxKUA5V6obBPdU= sioadm@ctrl"

   - name: (4) Désinstallation des paquets inutiles (wpasupplicant et rpcbind)
     apt:
       state: absent
       name:
         - wpasupplicant
         - rpcbind

   - name: (5) Configuration du fichier /etc/resolv.conf
     replace:
      path: /etc/resolv.conf
      regexp: '^(search|domain|nameserver).*'
      replace: |
        search sio.lan
        domain sio.lan
        nameserver 10.121.38.7
        nameserver 10.121.38.8

   - name: (6) Configuration du paramétrage SSH
     lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^PermitRootLogin'
       line: 'PermitRootLogin prohibit-password'

   - name: Redémarrage du service SSH
     service:
      name: ssh
      state: restarted

   - name: (7)(Bonus) Activation du pare-feu UFW
     apt:
      name: ufw
      state: present

   - name: (7) (Bonus) Autorisation du port 22 (SSH) sur le pare-feu
     ufw:
      rule: allow
      port: 22