---
- name: Allow SSH
  community.general.ufw:
    rule: allow
    port: "{{ sshd_port }}"
    proto: tcp
    comment: "SSH"

- name: Allow Forgejo SSH
  community.general.ufw:
    rule: allow
    port: "2222"
    proto: tcp
    comment: "Forgejo SSH"

- name: Allow HTTP
  community.general.ufw:
    rule: allow
    port: "80"
    proto: tcp
    comment: "HTTP (ACME challenge)"

- name: Allow HTTPS
  community.general.ufw:
    rule: allow
    port: "443"
    proto: tcp
    comment: "HTTPS"

- name: Allow Syncthing sync TCP
  community.general.ufw:
    rule: allow
    port: "22000"
    proto: tcp
    comment: "Syncthing sync"

- name: Allow Syncthing sync UDP
  community.general.ufw:
    rule: allow
    port: "22000"
    proto: udp
    comment: "Syncthing sync"

- name: Allow Syncthing discovery UDP
  community.general.ufw:
    rule: allow
    port: "21027"
    proto: udp
    comment: "Syncthing discovery"

- name: Set UFW default deny incoming
  community.general.ufw:
    direction: incoming
    policy: deny

- name: Set UFW default allow outgoing
  community.general.ufw:
    direction: outgoing
    policy: allow

- name: Enable UFW
  community.general.ufw:
    state: enabled

- name: Ensure fail2ban is configured for SSH
  ansible.builtin.copy:
    dest: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      bantime = 3600
      findtime = 600
      maxretry = 5

      [sshd]
      enabled = true
      port = {{ sshd_port }}
      logpath = %(sshd_log)s
      backend = %(sshd_backend)s
    mode: "0644"
  notify: Restart fail2ban

- name: Ensure fail2ban is started and enabled
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true