---
- name: 'apply setup to {{ host | default("all") }}'
  hosts: '{{ host | default("all") }}'
  serial: "{{ serial_number | default(5) }}"
  tasks:
  - set_fact:
      dev_prometheus_fqdn: 'dev-prometheus-01.{{ domain }}'
      qa_prometheus_fqdn: 'qa-prometheus-01.{{ domain }}'

  - set_fact:
      dev_prometheus_ip: "{{ lookup('community.general.dig', dev_prometheus_fqdn ) }}"
      qa_prometheus_ip: "{{ lookup('community.general.dig', qa_prometheus_fqdn ) }}"

  - name: "Allow SSH in UFW"
    ufw:
      rule: limit
      port: 22
      proto: tcp

  - name: "Allow port 9100 for node-exporter in UFW"
    ufw:
      rule: allow
      port: 9100
      proto: tcp
      src: "{{ item }}"
    loop:
      - "{{ dev_prometheus_ip }}"
      - "{{ qa_prometheus_ip }}"

  - name: "Allow port 9115 for blackbox-exporter in UFW"
    ufw:
      rule: allow
      port: 9115
      proto: tcp
      src: "{{ item }}"
    loop:
      - "{{ dev_prometheus_ip }}"
      - "{{ qa_prometheus_ip }}"

  - name: "Set firewall default policy"
    ufw:
      state: enabled
      policy: reject

  - name: "configure ssh_hardening"
    include_role:
      # include role from collection called 'devsec'
      name: devsec.hardening.ssh_hardening
      apply:
        tags:
          - ssh_hardening
    tags:
      - ssh_hardening

  - name: "Install node-exporter via include_role"
    include_role:
      name:  cloudalchemy.node-exporter

  - name: "Install blackbox-exporter via include_role"
    include_role:
      name: cloudalchemy.blackbox-exporter
      apply:
        tags:
          - blackbox
    tags:
      - blackbox