---
- name: 'apply setup to {{ host | default("all") }}'
  hosts: '{{ host | default("all") }}'
  serial: "{{ serial_number | default(5) }}"
  become: yes
  tasks:
  - name: "Set VARs"
    set_fact:
      prometheus_endpoints_all_stages:
        - "{{ lookup('community.general.dig', 'devnso-prometheus-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}"
      k8s_nodes_devnso:
        - "{{ lookup('community.general.dig', 'devnso-kube-node-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'devnso-kube-node-02.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'devnso-kube-node-03.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'devnso-kube-node-04.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'devnso-kube-node-05.' + domain ) }}"
      k8s_nodes_qanso:
        - "{{ lookup('community.general.dig', 'qanso-kube-node-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qanso-kube-node-02.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qanso-kube-node-03.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qanso-kube-node-04.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qanso-kube-node-05.' + domain ) }}"
      k8s_nodes_prodnso:
        - "{{ lookup('community.general.dig', 'prodnso-kube-node-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-kube-node-02.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-kube-node-03.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-kube-node-04.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-kube-node-05.' + domain ) }}"
      k8s_nodes_mobene:
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-02.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-04.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-05.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-06.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-07.' + domain ) }}"

  - name: "Allow SSH in UFW"
    ufw:
      rule: limit
      port: 22
      proto: tcp
      src: "{{ item }}"
    loop: "{{ ip_whitelist }}"

  - name: "Allow port 9100 for node-exporter in UFW"
    ufw:
      rule: allow
      port: 9100
      proto: tcp
      src: "{{ item }}"
    loop: "{{ prometheus_endpoints_all_stages }}"

  - name: "Allow port 9115 for blackbox-exporter in UFW"
    ufw:
      rule: allow
      port: 9115
      proto: tcp
      src: "{{ item }}"
    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + k8s_nodes_mobene + k8s_nodes_devnso + k8s_nodes_qanso + k8s_nodes_prodnso + k8s_nodes_demompmx }}"

  - name: "Set firewall default policy"
    ufw:
      state: enabled
      policy: reject

  - name: "configure ssh_hardening"
    include_role:
      # include role from collection called 'devsec'
      name: devsec.hardening.ssh_hardening
      apply:
        tags:
          - ssh_hardening
    tags:
      - ssh_hardening

  - name: "Install blackbox-exporter via include_role"
    include_role:
      name: cloudalchemy.blackbox-exporter
      apply:
        tags:
          - blackbox
    tags:
      - blackbox