personal_infra/ansible/infra/02_firewall_playbook.yml

- name: Secure Debian VPS
  hosts: vipy
  vars_files:
    - ../vars.yml
  become: true

  tasks:
    - name: Install UFW
      apt:
        name: ufw
        state: present

    - name: Turn UFW off
      ufw:
        state: disabled

    - name: Configure UFW default rules
      ufw:
        policy: deny
        direction: incoming

    - name: Allow outgoing traffic
      ufw:
        rule: allow
        direction: out

    - name: Allow SSH port through UFW
      ufw:
        rule: allow
        direction: in
        port: "{{ ssh_port }}"
        proto: tcp
        from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"

    - name: Turn UFW on
      ufw:
        state: enabled

    - name: Install fail2ban
      apt:
        name: fail2ban
        state: present

    - name: Ensure fail2ban is running
      service:
        name: fail2ban
        enabled: yes
        state: started

    - name: Remove unnecessary services
      apt:
        name: "{{ item }}"
        state: absent
        purge: yes
      loop:
        - exim4
        - apache2
        - cups
        - rpcbind
        - nfs-common
        - telnet
        - ftp
        - samba

    - name: Install auditd
      apt:
        name:
          - auditd
          - audispd-plugins
        state: present

    - name: Enable and start auditd
      service:
        name: auditd
        enabled: yes
        state: started