---
- name: Ensures fail2ban dir exists
  file: 
    path: /etc/fail2ban 
    state: directory

- name: Configure fail2ban
  copy:
    src: ../templates/fail2ban.conf
    dest: /etc/fail2ban/fail2ban.conf
    backup: yes

- name: Update package cache (apt/Debian)
  ansible.builtin.apt:
    update_cache: yes
  when: ansible_distribution == "Debian"

- name: Install fail2ban
  ansible.builtin.package:
    name: fail2ban
    state: present

- name: Disable password login
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    regexp: '^(#\s*)?PasswordAuthentication '
    line: "PasswordAuthentication no"
  notify: restart sshd

- name: Change SSH port
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    regexp: "^Port "
    line: "Port {{ sshd_port }}"
  notify: restart sshd
  when: 0 > 1