- name: Create Ansible's temporary remote directory
  ansible.builtin.file:
    path: "~/.ansible/tmp"
    state: directory
    mode: "755"

- name: Create system user groups
  ansible.builtin.group:
    name: "{{ item.key }}"
    gid: "{{ item.value.gid }}"
    state: present
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create system users
  ansible.builtin.user:
    name: "{{ item.key }}"
    state: present
    uid: "{{ item.value.uid }}"
    group: "{{ item.value.gid }}"
    groups: "{{ item.value.groups | default([]) }}"
    shell: "{{ item.value.shell | default('/bin/bash') }}"
    create_home: "{{ item.value.home | default(false) }}"
    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
    system: "{{ item.value.system | default(false) }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create Ansible's temporary remote directory for users
  ansible.builtin.file:
    path: "{{ item.value.homedir | default('/home/' + item.key) }}/.ansible/tmp"
    state: directory
    mode: "755"
    owner: "{{ item.key }}"
    group: "{{ item.value.gid }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when:
    - users is defined
    - item.value.ansible_temp | default(false)

- name: Install EPEL repository
  ansible.builtin.dnf:
    name: epel-release
    state: present
    update_cache: true

- name: Install useful software
  ansible.builtin.dnf:
    name: "{{ common_packages }}"
    state: present
    update_cache: true

- name: Install firewalld
  ansible.builtin.dnf:
    name: firewalld
    state: present

- name: Start and enable firewalld service
  ansible.builtin.systemd:
    name: firewalld
    state: started
    enabled: true

- name: Set default zone to drop (deny incoming by default)
  ansible.posix.firewalld:
    zone: drop
    state: enabled
    permanent: true
    immediate: true

- name: Allow SSH in drop zone with rate limiting via rich rule
  ansible.posix.firewalld:
    zone: drop
    rich_rule: 'rule service name="ssh" accept limit value="10/m"'
    permanent: true
    immediate: true
    state: enabled

- name: Set drop as the default zone
  ansible.builtin.command:
    cmd: firewall-cmd --set-default-zone=drop
  changed_when: false