---
- name: Set up security defaults
  hosts: health
  become: yes
  become_user: root
  vars:
    open_ports:
      - ssh
      - http
      - https
  tasks:
    - name: Disable insecure SSH authentication methods
      copy:
        dest: /etc/ssh/sshd_config.d/disable-insecure-logins.conf
        content: |
          PermitRootLogin no
          PasswordAuthentication no
          PubkeyAuthentication yes
      notify: Restart SSH

    - name: Update the apt cache
      apt:
        update_cache: yes

    - name: Install fail2ban firewall with default settings
      apt:
        name: fail2ban

    - name: Install ufw firewall
      apt:
        name: ufw

    - name: Configure ufw firewall to allow SSH connections on port 22
      community.general.ufw:
        rule: allow
        port: "{{ item }}"
      loop: "{{ open_ports }}"

    - name: Configure ufw firewall to deny access to ChatGPT-User's IP range
      community.general.ufw:
        rule: deny
        src: 23.98.142.176/28
        comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)

    - name: Load GPTBot IP ranges
      uri:
        url: https://openai.com/gptbot.json
      register: gptbot_info

    - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
      community.general.ufw:
        rule: deny
        src: "{{ item }}"
        comment: GPTBot (https://platform.openai.com/docs/gptbot)
      loop: "{{ gptbot_info['json'] |
        community.general.json_query('prefixes[*].ipv4Prefix') }}"

    - name: Enable ufw firewall with all other ports closed by default
      community.general.ufw:
        state: enabled
        policy: deny

    - name: Install unattended-upgrades
      apt:
        name: unattended-upgrades

    - name: Enable unattended-upgrades to auto-upgrade our system
      copy:
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
        dest: /etc/apt/apt.conf.d/20auto-upgrades

    - name: Configure unattended-upgrades to auto-reboot our server when necessary
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
        line: Unattended-Upgrade::Automatic-Reboot "true";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

    - name: Configure the system timezone to be US Pacific time
      community.general.timezone:
        name: America/Los_Angeles

    - name: Configure unattended-upgrades to delay necessary reboots to 3am
      lineinfile:
        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
        line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
        dest: /etc/apt/apt.conf.d/50unattended-upgrades

  handlers:
    - name: Restart SSH
      systemd_service:
        name: ssh
        state: restarted