---
# Common configuration for all nodes

- name: Set timezone
  timezone:
    name: "{{ timezone }}"

- name: Install common packages
  apt:
    name: "{{ common_packages }}"
    state: present
    update_cache: true

- name: Disable swap
  shell: |
    swapoff -a
    sed -i '/swap/d' /etc/fstab
  when: not swap_enabled
  changed_when: false

- name: Load kernel modules
  modprobe:
    name: "{{ item }}"
    state: present
  loop:
    - overlay
    - br_netfilter

- name: Configure kernel modules to load at boot
  copy:
    dest: /etc/modules-load.d/k3s.conf
    content: |
      overlay
      br_netfilter
    mode: '0644'

- name: Configure sysctl parameters
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    state: present
    reload: true
    sysctl_file: /etc/sysctl.d/99-k3s.conf
  loop: "{{ sysctl_config | dict2items }}"

- name: Configure unattended-upgrades
  include_tasks: unattended-upgrades.yml
  when: unattended_upgrades_enabled

- name: Create k3s directories
  file:
    path: "{{ item }}"
    state: directory
    mode: '0755'
  loop:
    - /etc/rancher/k3s
    - /var/lib/rancher/k3s

- name: Configure firewall rules (ufw)
  block:
    - name: Install ufw
      apt:
        name: ufw
        state: present

    - name: Allow SSH
      ufw:
        rule: allow
        port: '22'
        proto: tcp

    - name: Allow K3s API
      ufw:
        rule: allow
        port: '6443'
        proto: tcp

    - name: Allow K3s etcd
      ufw:
        rule: allow
        port: '2379:2380'
        proto: tcp

    - name: Allow K3s metrics
      ufw:
        rule: allow
        port: '10250'
        proto: tcp

    - name: Enable ufw
      ufw:
        state: enabled
        policy: deny
        direction: incoming
  when: false  # Disabled by default, enable if needed