#cloud-config
hostname: {{ deploy_linux_vm_hostname }}
fqdn: {{ deploy_linux_vm_hostname }}.{{ deploy_linux_vm_domain }}
manage_etc_hosts: true

# Create ansible user with sudo privileges
users:
  - name: {{ deploy_linux_vm_ansible_user }}
    groups: sudo
    shell: {{ deploy_linux_vm_ansible_user_shell }}
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - {{ deploy_linux_vm_ansible_user_ssh_key }}
  - name: root
    lock_passwd: false

# Set root password (for emergency console access)
chpasswd:
  list: |
    root:{{ deploy_linux_vm_root_password }}
  expire: false

# SSH configuration
ssh_pwauth: false
disable_root: false

# Install essential packages per CLAUDE.md guidelines
packages:
  - sudo
{% for package in deploy_linux_vm_essential_packages %}
  - {{ package }}
{% endfor %}
{% for package in deploy_linux_vm_security_packages %}
  - {{ package }}
{% endfor %}
  - auditd
  - ufw
  - lvm2
  - cloud-guest-utils
  - parted
  - unattended-upgrades
  - apt-listchanges

# Security configuration files
write_files:
  - path: /etc/ssh/sshd_config.d/99-security.conf
    content: |
      # SSH Security Configuration - CLAUDE.md Compliance
      PermitRootLogin {{ deploy_linux_vm_ssh_permit_root_login }}
      PasswordAuthentication {{ deploy_linux_vm_ssh_password_authentication }}
      PubkeyAuthentication {{ deploy_linux_vm_ssh_pubkey_authentication }}
      MaxAuthTries {{ deploy_linux_vm_ssh_max_auth_tries }}
      MaxSessions {{ deploy_linux_vm_ssh_max_sessions }}
      ClientAliveInterval {{ deploy_linux_vm_ssh_client_alive_interval }}
      ClientAliveCountMax {{ deploy_linux_vm_ssh_client_alive_count_max }}

      # Disable GSSAPI Authentication (per requirements)
      GSSAPIAuthentication {{ deploy_linux_vm_ssh_gssapi_authentication }}
      GSSAPICleanupCredentials {{ deploy_linux_vm_ssh_gssapi_cleanup_credentials }}

      # Additional hardening
      PermitEmptyPasswords no
      ChallengeResponseAuthentication no
      UsePAM yes
      X11Forwarding no
      PrintMotd no
      AcceptEnv LANG LC_*
    permissions: '0644'

  - path: /etc/sudoers.d/{{ deploy_linux_vm_ansible_user }}
    content: |
      {{ deploy_linux_vm_ansible_user }} ALL=(ALL) NOPASSWD:ALL
    permissions: '0440'

  - path: /etc/apt/apt.conf.d/50unattended-upgrades
    content: |
      Unattended-Upgrade::Allowed-Origins {
          "${distro_id}:${distro_codename}-security";
      };
      Unattended-Upgrade::AutoFixInterruptedDpkg "true";
      Unattended-Upgrade::MinimalSteps "true";
      Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
      Unattended-Upgrade::Remove-Unused-Dependencies "true";
      Unattended-Upgrade::Automatic-Reboot "{{ 'true' if deploy_linux_vm_automatic_reboot else 'false' }}";
    permissions: '0644'

  - path: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";
    permissions: '0644'

# System configuration commands
runcmd:
  - systemctl enable ssh
  - systemctl restart ssh
  - systemctl enable chrony
  - systemctl start chrony
{% if deploy_linux_vm_enable_firewall %}
  - ufw --force enable
  - ufw allow ssh
{% endif %}
{% if deploy_linux_vm_enable_auditd %}
  - systemctl enable auditd
  - systemctl start auditd
{% endif %}
  - growpart /dev/vda 1 || true
  - resize2fs /dev/vda1 || true

package_update: {{ deploy_linux_vm_package_update | lower }}
package_upgrade: {{ deploy_linux_vm_package_upgrade | lower }}
package_reboot_if_required: {{ deploy_linux_vm_package_reboot_if_required | lower }}

timezone: {{ deploy_linux_vm_timezone }}
locale: {{ deploy_linux_vm_locale }}

output:
  all: '| tee -a /var/log/cloud-init-output.log'

final_message: "{{ deploy_linux_vm_os_distribution }} VM deployment completed. System is ready after $UPTIME seconds."