- name: Initial System Setup
  hosts:
    - mx1
    - mx2
  remote_user: root
  become: true
  become_method: su
  vars_files:
    - vars.yml
  tasks:
    - name: Apply all available system patches
      command: syspatch
      register: syspatch
      failed_when: syspatch.rc != 0 and syspatch.rc != 2
      changed_when: syspatch.rc == 0

    - name: Update package list and upgrade all packages
      command: pkg_add -u

    - name: Install essential packages
      community.general.openbsd_pkg:
        name:
          - nano
          - curl
          - git
        state: present

    - name: Disable SSH password authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
        state: present
      register: sshd_config

    - name: Restart SSH service to apply changes
      ansible.builtin.service:
        name: sshd
        state: restarted
      when: sshd_config.changed

    - name: Add SSH public key to authorized_keys
      ansible.posix.authorized_key:
        user: root
        key: "{{ ssh_public_key }}"

    - name: Configure firewall
      template:
        src: "templates/pf.conf.j2"
        dest: /etc/pf.conf
        validate: pfctl -n -f %s
      register: pf

    - name: Load config to pf if needed
      command: pfctl -f /etc/pf.conf
      when: pf.changed