---
- name: Baseline system setup
  hosts: all
  become: true

  roles:
    - role: baseline_sudo
      tags: sudo

    - role: users
      tags: users

# ==============================
# FREEIPA / SSSD (optional)
# ==============================

- name: FreeIPA client setup
  hosts: all
  become: true
  tags: never,sssd

  roles:
    - role: freeipa_client

# ==============================
# SSH HARDENING (run last!)
# ==============================

- name: SSH hardening
  hosts: all
  become: true
  tags: never,hardening

  roles:
    - role: ssh_hardening