---
- hosts: all
  become: true
  tasks:
  - name: Update apt cache
    apt:
      update_cache: yes
    changed_when: false

  - name: Install required packages
    apt:
      name:
      - fail2ban
      - iptables
      state: present

  - name: Ensure SSH port is set to 7511 in /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#?Port '
      line: 'Port 7511'
      state: present
      backup: yes
    notify: Restart SSH

  - name: Check if ssh.socket unit exists
    stat:
      path: /usr/lib/systemd/system/ssh.socket
    register: ssh_socket_unit

  - name: Set ListenStream to 7511 in ssh.socket
    lineinfile:
      path: /usr/lib/systemd/system/ssh.socket
      regexp: '^ListenStream='
      line: 'ListenStream=7511'
      backup: yes
    when: ssh_socket_unit.stat.exists
    notify: Reload systemd and restart ssh.socket

  - name: Test sshd configuration
    command: sshd -t
    changed_when: false

  - name: Open firewall ports
    iptables:
      chain: INPUT
      protocol: tcp
      destination_port: "{{ item }}"
      jump: ACCEPT
      state: present
    loop: "{{ firewall_ports }}"

  - name: Ensure fail2ban is started and enabled
    service:
      name: fail2ban
      state: started
      enabled: yes

  handlers:
    - name: Reload systemd and restart ssh.socket
      shell: |
        systemctl daemon-reload
        systemctl restart ssh.socket
    - name: Restart SSH
      service:
        name: ssh
        state: restarted