---
- name: Deploy Wazuh Security Manager
  hosts: security_servers
  become: true
  vars:
    wazuh_version: "4.7.0"
    wazuh_manager_config:
      email_notification: false
      log_level: 3

  tasks:
  - name: Update apt cache
    apt:
      update_cache: yes

  - name: Install required packages
    apt:
      name:
      - curl
      - apt-transport-https
      - lsb-release
      - gnupg2
      state: present

  - name: Download Wazuh GPG key
    get_url:
      url: https://packages.wazuh.com/key/GPG-KEY-WAZUH
      dest: /tmp/GPG-KEY-WAZUH

  - name: Add Wazuh GPG key
    apt_key:
      file: /tmp/GPG-KEY-WAZUH
      state: present

  - name: Add Wazuh repository
    apt_repository:
      repo: "deb https://packages.wazuh.com/4.x/apt/ stable main"
      state: present

  - name: Install Wazuh manager
    apt:
      name:
      - wazuh-manager
      state: present
      update_cache: yes

  - name: Configure Wazuh manager
    template:
      src: ossec.conf.j2
      dest: /var/ossec/etc/ossec.conf
      backup: yes
      owner: root
      group: ossec
      mode: '0640'
    notify: restart wazuh-manager

  - name: Start and enable Wazuh manager
    service:
      name: wazuh-manager
      state: started
      enabled: yes

  - name: Install Wazuh indexer
    apt:
      name: wazuh-indexer
      state: present

  - name: Start and enable Wazuh indexer
    service:
      name: wazuh-indexer
      state: started
      enabled: yes

  - name: Install Wazuh dashboard
    apt:
      name: wazuh-dashboard
      state: present

  - name: Start and enable Wazuh dashboard
    service:
      name: wazuh-dashboard
      state: started
      enabled: yes

  - name: Open required firewall ports
    ufw:
      rule: allow
      port: "{{ item }}"
      proto: tcp
    loop:
    - 1514 # Wazuh agent connection
    - 1515 # Wazuh agent registration
    - 55000 # Wazuh API
    - 9200 # Wazuh indexer
    - 443 # Wazuh dashboard

  - name: Wait for services to be ready
    wait_for:
      port: "{{ item }}"
      host: 127.0.0.1
      delay: 30
    loop:
    - 55000
    - 9200
    - 443

  - name: Display Wazuh information
    debug:
      msg: |
        Wazuh has been successfully deployed:
        - Manager API: https://{{ ansible_default_ipv4.address }}:55000
        - Dashboard: https://{{ ansible_default_ipv4.address }}:443
        - Indexer: https://{{ ansible_default_ipv4.address }}:9200

        Default credentials:
        - Username: admin
        - Password: admin (change immediately)

  handlers:
  - name: restart wazuh-manager
    service:
      name: wazuh-manager
      state: restarted

  - name: restart wazuh-indexer
    service:
      name: wazuh-indexer
      state: restarted

  - name: restart wazuh-dashboard
    service:
      name: wazuh-dashboard
      state: restarted