---
- name: Set up security defaults
  hosts: webserver
  become: yes
  become_user: root
  tasks:
    - name: Disable root SSH login
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: ^#?PermitRootLogin
        line: PermitRootLogin no
      notify:
        - Restart sshd

    - name: Disable password-based SSH authentication
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: ^#?PasswordAuthentication
        line: PasswordAuthentication no
      notify:
        - Restart sshd

    - name: Enable public-key SSH authentication
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: ^#?PubkeyAuthentication
        line: PubkeyAuthentication yes
      notify:
        - Restart sshd

    - name: Update the apt cache
      apt:
        update_cache: yes

    - name: Install fail2ban firewall with default settings
      apt:
        name: fail2ban

    - name: Install ufw firewall
      apt:
        name: ufw

    - name: Configure ufw firewall to allow SSH connections on port 22
      community.general.ufw:
        rule: allow
        port: "22"

    - name: Configure ufw firewall to allow HTTP connections on port 80
      community.general.ufw:
        rule: allow
        port: "80"

    - name: Configure ufw firewall to allow HTTPS connections on port 443
      community.general.ufw:
        rule: allow
        port: "443"

    - name: Configure ufw firewall to deny access to ChatGPT-User's IP range
      community.general.ufw:
        rule: deny
        src: 23.98.142.176/28
        comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)

    - name: Load GPTBot IP ranges
      uri:
        url: https://openai.com/gptbot.json
      register: gptbot_info

    - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
      community.general.ufw:
        rule: deny
        src: "{{ item }}"
        comment: GPTBot (https://platform.openai.com/docs/gptbot)
      loop: "{{ gptbot_info['json'] |
        community.general.json_query('prefixes[*].ipv4Prefix') }}"

    - name: Enable ufw firewall with all other ports closed by default
      community.general.ufw:
        state: enabled
        policy: deny

    - name: Install unattended-upgrades
      apt:
        name: unattended-upgrades

    - name: Enable unattended-upgrades to auto-upgrade our system
      copy:
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
        dest: /etc/apt/apt.conf.d/20auto-upgrades

    - name: Configure unattended-upgrades to auto-reboot our server when necessary
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
        line: Unattended-Upgrade::Automatic-Reboot "true";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

    - name: Configure the system timezone to be US Pacific time
      community.general.timezone:
        name: America/Los_Angeles

    - name: Configure unattended-upgrades to delay necessary reboots to 3am
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
        line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

  handlers:
    - name: Restart sshd
      systemd:
        name: sshd
        state: restarted