- name: Install fail2ban & ufw.
  apt:
    name:
      - fail2ban
      - ufw
    state: present

# TODO add proper fail2ban config

- name: Ensure fail2ban is started & enabled.
  service:
    name: fail2ban
    state: started
    enabled: true

- name: Ensure ufw is started & enabled.
  service:
    name: fail2ban
    state: started
    enabled: true

- name: Allow SSH connections.
  community.general.ufw:
    rule: allow
    port: 2222

- name: Open necessary ports for Docker swarm communication.
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
  loop:
    - 2377  # cluster management communications
    - 7946  # communication among nodes
    - 4789  # overlay network traffic
    - 9001  # Portainer communication

- name: Block everything else by default & enable firewall.
  community.general.ufw:
    default: deny
    state: enabled