# This play book sets up a mirrored setup for both web service hosts
# such that they accept web traffic in and out from anywhere
# but only accept ssh connections from the internal network
---
- hosts: alpha,beta
  remote_user: ubuntu
  # UFW is only accessible to root so sudo is required for each task
  become: yes
  become_method: sudo
  tasks:
    - name: Install UFW in case it's not here
      apt:
        name: ufw
        update_cache: yes
    - name: Allow SSH connections from internal network
      ufw:
        rule: allow
        port: ssh
        direction: incoming
        src: 10.0.0.128/26

    - name: Rate limit SSH connections
      ufw:
        rule: limit
        direction: incoming
        port: ssh
        proto: tcp

    - name: Allow Plain-HTTP traffic from anywhere
      ufw:
        rule: allow
        port: 80
        proto: tcp

    - name: Allow HTTPS traffic from anywhere
      ufw:
        rule: allow
        port: 443
        proto: tcp