---
- name: Allow SSH
  community.general.ufw:
    rule: allow
    port: "{{ sshd_port }}"
    proto: tcp
    comment: "SSH"

- name: Allow Forgejo SSH
  community.general.ufw:
    rule: allow
    port: "2222"
    proto: tcp
    comment: "Forgejo SSH"

- name: Allow HTTP from Cloudflare IPs only
  community.general.ufw:
    rule: allow
    port: "80"
    proto: tcp
    src: "{{ item }}"
    comment: "HTTP via Cloudflare"
  loop:
    - "173.245.48.0/20"
    - "103.21.244.0/22"
    - "103.22.200.0/22"
    - "103.31.4.0/22"
    - "141.101.64.0/18"
    - "108.162.192.0/18"
    - "190.93.240.0/20"
    - "188.114.96.0/20"
    - "197.234.240.0/22"
    - "198.41.128.0/17"
    - "162.158.0.0/15"
    - "104.16.0.0/13"
    - "104.24.0.0/14"
    - "172.64.0.0/13"
    - "131.0.72.0/22"

- name: Allow HTTPS from Cloudflare IPs only
  community.general.ufw:
    rule: allow
    port: "443"
    proto: tcp
    src: "{{ item }}"
    comment: "HTTPS via Cloudflare"
  loop:
    - "173.245.48.0/20"
    - "103.21.244.0/22"
    - "103.22.200.0/22"
    - "103.31.4.0/22"
    - "141.101.64.0/18"
    - "108.162.192.0/18"
    - "190.93.240.0/20"
    - "188.114.96.0/20"
    - "197.234.240.0/22"
    - "198.41.128.0/17"
    - "162.158.0.0/15"
    - "104.16.0.0/13"
    - "104.24.0.0/14"
    - "172.64.0.0/13"
    - "131.0.72.0/22"

- name: Allow Syncthing sync TCP
  community.general.ufw:
    rule: allow
    port: "22000"
    proto: tcp
    comment: "Syncthing sync"

- name: Allow Syncthing sync UDP
  community.general.ufw:
    rule: allow
    port: "22000"
    proto: udp
    comment: "Syncthing sync"

- name: Allow Syncthing discovery UDP
  community.general.ufw:
    rule: allow
    port: "21027"
    proto: udp
    comment: "Syncthing discovery"

- name: Set UFW default deny incoming
  community.general.ufw:
    direction: incoming
    policy: deny

- name: Set UFW default allow outgoing
  community.general.ufw:
    direction: outgoing
    policy: allow

- name: Enable UFW
  community.general.ufw:
    state: enabled

- name: Ensure fail2ban is configured for SSH
  ansible.builtin.copy:
    dest: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      bantime = 3600
      findtime = 600
      maxretry = 5

      [sshd]
      enabled = true
      port = {{ sshd_port }}
      logpath = %(sshd_log)s
      backend = %(sshd_backend)s
    mode: "0644"
  notify: Restart fail2ban

- name: Ensure fail2ban is started and enabled
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true