---
- name: FIREWALL | install packages
  ansible.builtin.apt:
    cache_valid_time: 3600
    force_apt_get: yes
    pkg:
        - fail2ban
        - ufw
    state: present
    update_cache: true

- name: UFW | reset before setting
  community.general.ufw:
    state: reset

- name: UFW | deny everything IN
  community.general.ufw:
    direction: incoming
    policy: deny

- name: UFW | allow everything OUT
  community.general.ufw:
    direction: outgoing
    policy: allow

- name: UFW | limit tcp port 22 IN
  community.general.ufw:
    direction: in
    log: yes
    port: '22'
    proto: tcp
    rule: limit

- name: UFW | allow tcp port 80 IN
  when: inventory_hostname in groups.web
  community.general.ufw:
    direction: in
    rule: allow
    port: '80'
    proto: tcp

- name: UFW | enable & set logging
  community.general.ufw:
    logging: low
    state: enabled

- name: FAIL2BAN | ensure deamon is running
  ansible.builtin.service:
    name: fail2ban
    state: started
    enabled: true

- name: FAIL2BAN | set local config
  ansible.builtin.template:
    src: templates/jail.local.j2
    dest: /etc/fail2ban/jail.local

- name: FAIL2BAN | restart service
  ansible.builtin.service:
    name: fail2ban
    state: restarted