# Complete Enhancement Template
# Copy these sections into each VM YAML file

# 1. Add to packages list (after lsb-release):
        - chrony
        - unattended-upgrades
        - apt-listchanges

# 2. Add NTP configuration (after package_upgrade: true):
      # Time synchronization (NTP)
      ntp:
        enabled: true
        ntp_client: chrony
        servers:
          - 0.pool.ntp.org
          - 1.pool.ntp.org
          - 2.pool.ntp.org
          - 3.pool.ntp.org

# 3. Update package verification (replace the for loop):
          for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do

# 4. Add before final_message (after guest agent verification):
        # Configure automatic security updates
        - |
          echo "Configuring automatic security updates..."
          cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
          Unattended-Upgrade::Allowed-Origins {
              "${distro_id}:${distro_codename}-security";
              "${distro_id}ESMApps:${distro_codename}-apps-security";
              "${distro_id}ESM:${distro_codename}-infra-security";
          };
          Unattended-Upgrade::AutoFixInterruptedDpkg "true";
          Unattended-Upgrade::MinimalSteps "true";
          Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
          Unattended-Upgrade::Remove-Unused-Dependencies "true";
          Unattended-Upgrade::Automatic-Reboot "false";
          Unattended-Upgrade::Automatic-Reboot-Time "02:00";
          EOF
          systemctl enable unattended-upgrades
          systemctl start unattended-upgrades
          echo "Automatic security updates configured"
        
        # Configure NTP (Chrony)
        - |
          echo "Configuring NTP (Chrony)..."
          systemctl enable chrony
          systemctl restart chrony
          sleep 3
          if systemctl is-active --quiet chrony; then
            echo "NTP (Chrony) is running"
            chronyc tracking | head -1 || true
          else
            echo "WARNING: NTP (Chrony) may not be running"
          fi
        
        # SSH hardening
        - |
          echo "Hardening SSH configuration..."
          if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
            sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
            sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
          fi
          if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
            sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
            sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
          fi
          if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
            sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
          fi
          systemctl restart sshd
          echo "SSH hardening completed"
      
      # Write files for security configuration
      write_files:
        - path: /etc/apt/apt.conf.d/20auto-upgrades
          content: |
            APT::Periodic::Update-Package-Lists "1";
            APT::Periodic::Download-Upgradeable-Packages "1";
            APT::Periodic::AutocleanInterval "7";
            APT::Periodic::Unattended-Upgrade "1";
          permissions: '0644'
          owner: root:root
      
      # Final message
      final_message: |
        ==========================================
        System Boot Completed Successfully!
        ==========================================
        
        Services Status:
        - QEMU Guest Agent: $(systemctl is-active qemu-guest-agent)
        - NTP (Chrony): $(systemctl is-active chrony)
        - Automatic Security Updates: $(systemctl is-active unattended-upgrades)
        
        System Information:
        - Hostname: $(hostname)
        - IP Address: $(hostname -I | awk '{print $1}')
        - Time: $(date)
        
        Packages Installed:
        - qemu-guest-agent, curl, wget, net-tools
        - chrony (NTP), unattended-upgrades (Security)
        
        Security Configuration:
        - SSH: Root login disabled, Password auth disabled
        - Automatic security updates: Enabled
        - NTP synchronization: Enabled
        
        Next Steps:
        1. Verify all services are running
        2. Check cloud-init logs: /var/log/cloud-init-output.log
        3. Test SSH access
        ==========================================

