---
- name: Run Lynis security audit on Proxmox hosts
  hosts: proxmox
  gather_facts: false

  tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
      become: true

    - name: Install Lynis
      ansible.builtin.apt:
        name: lynis
        state: present
      become: true

    - name: Run Lynis audit
      ansible.builtin.shell: |
        lynis audit system
      register: lynis_audit_output
      changed_when: false
      become: true

    - name: Ensure log directory exists on local machine
      ansible.builtin.file:
        path: "{{ playbook_dir }}/logs"
        state: directory
      delegate_to: localhost
      run_once: true

    - name: Save Lynis audit report to local log file
      ansible.builtin.copy:
        content: "{{ lynis_audit_output.stdout }}"
        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_lynis_report.log"
      delegate_to: localhost