---
- name: Harden Pop!_OS with Fail2Ban
  hosts: all
  become: true
  vars:
    fail2ban_default_jail:
      name: sshd
      enabled: true
      port: ssh
      filter: sshd
      logpath: /var/log/auth.log
      maxretry: 5
      bantime: 600
      findtime: 600

  tasks:
    - name: Ensure Fail2Ban is installed
      apt:
        name: fail2ban
        state: present
        update_cache: yes

    - name: Create jail.local with default sshd jail
      copy:
        dest: /etc/fail2ban/jail.local
        owner: root
        group: root
        mode: '0644'
        content: |
          [DEFAULT]
          banaction = iptables-multiport
          backend = systemd
          destemail = root@localhost
          sender = root@<hostname>
          action = %(action_mwl)s

          [{{ fail2ban_default_jail.name }}]
          enabled = {{ fail2ban_default_jail.enabled | lower }}
          port    = {{ fail2ban_default_jail.port }}
          filter  = {{ fail2ban_default_jail.filter }}
          logpath = {{ fail2ban_default_jail.logpath }}
          maxretry = {{ fail2ban_default_jail.maxretry }}
          bantime = {{ fail2ban_default_jail.bantime }}
          findtime = {{ fail2ban_default_jail.findtime }}

    - name: Ensure fail2ban is enabled and running
      systemd:
        name: fail2ban
        enabled: yes
        state: started