---
- name: System Maintenance with Admin Setup (Idempotent & Secure)
  hosts: all
  become: true

  vars:
    # ==== Customizable Variables ====
    admin_user: "admin"
    admin_group: "sysadmin"
    admin_password: "$6$Z1rC2h...EncryptedPassword..."  # ganti dengan hasil `mkpasswd --method=SHA-512`
    ssh_key_path: "/home/{{ admin_user }}/.ssh/id_rsa"
    health_report_path: "/var/log/system_health_report.txt"
    cron_log_path: "/var/log/cron.log"
    default_service: "cron"

  tasks:
    # ==== PACKAGE MAINTENANCE ====
    - name: Update package repositories
      apt:
        update_cache: yes
      register: update_result
      changed_when: update_result.cache_updated
      tags: update

    - name: Upgrade security packages (dist-upgrade)
      apt:
        upgrade: dist
      tags: upgrade

    # ==== CLEANUP ====
    - name: Clean all contents of /tmp directory
      shell: "rm -rf /tmp/* || true"
      tags: cleanup

    - name: Ensure /tmp directory exists with correct permissions
      file:
        path: /tmp
        state: directory
        owner: root
        group: root
        mode: '1777'
      tags: cleanup

    # ==== SERVICE MAINTENANCE ====
    - name: "Restart specific service (default: cron)"
      service:
        name: "{{ default_service }}"
        state: restarted
      tags: restart

    # ==== ADMIN USER MANAGEMENT ====
    - name: Ensure admin group exists
      group:
        name: "{{ admin_group }}"
        state: present
      tags: admin

    - name: Ensure admin user exists
      user:
        name: "{{ admin_user }}"
        group: "{{ admin_group }}"
        password: "{{ admin_password }}"
        shell: /bin/bash
        create_home: yes
        state: present
      tags: admin

    - name: Grant sudo privileges to admin user (NOPASSWD)
      copy:
        dest: "/etc/sudoers.d/{{ admin_user }}"
        content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
        mode: '0440'
        owner: root
        group: root
      tags: admin

    - name: Ensure .ssh directory exists for admin
      file:
       path: "/home/{{ admin_user }}/.ssh"
       state: directory
       owner: "{{ admin_user }}"
       group: "{{ admin_group }}"
       mode: '0700'
      tags: admin

    - name: Generate SSH key pair (idempotent)
      openssh_keypair:
       path: "{{ ssh_key_path }}"
       owner: "{{ admin_user }}"
       group: "{{ admin_group }}"
       mode: '0600'
       type: rsa
       size: 2048
      tags: admin

    # ==== SYSTEM REPORTING ====
    - name: Generate system health report
      shell: |
        echo "===== SYSTEM HEALTH REPORT =====" > {{ health_report_path }}
        echo -e "\n--- TOP ---" >> {{ health_report_path }}
        top -b -n1 | head -n 20 >> {{ health_report_path }}
        echo -e "\n--- DISK USAGE ---" >> {{ health_report_path }}
        df -h >> {{ health_report_path }}
        echo -e "\n--- MEMORY ---" >> {{ health_report_path }}
        free -h >> {{ health_report_path }}
      args:
        executable: /bin/bash
      tags: report

    # ==== LOGGING CONFIGURATION ====
    - name: Enable cron logging (if not already)
      lineinfile:
        path: /etc/rsyslog.d/50-default.conf
        regexp: '^#?cron.\*'
        line: 'cron.*                         {{ cron_log_path }}'
      notify: Restart rsyslog
      tags: logging

  handlers:
    - name: Restart rsyslog
      service:
        name: rsyslog
        state: restarted