serverctl/infrastructure/create-resources/ansible/roles/firewall/tasks/main.yml

---
- name: update packages
  apt:
    update_cache: yes
    cache_valid_time: 3600
  become: yes

- name: install ufw
  apt:
    name: ufw
    state: present
  become: yes
  when: ufw_enabled

- name: Allow SSH in UFW
  ufw:
    rule: allow
    port: "{{ ansible_ssh_port }}"
    proto: tcp
  become: yes
  when: ufw_enabled

- name: Allow wireguard port in UFW
  ufw:
    rule: allow
    port: "{{ wireguard_port }}"
    proto: udp
  become: yes
  when: ufw_enabled

- name: Set ufw logging
  ufw:
    logging: "on"
  become: yes
  when: ufw_enabled

- name: inter-node Wireguard UFW connectivity
  ufw:
    rule: allow
    src: "{{ hostvars[item].wireguard_ip }}"
  with_items: "{{ groups['all'] }}"
  become: yes
  when: ufw_enabled and item != inventory_hostname

- name: Reject everything and enable UFW
  ufw:
    state: enabled
    policy: reject
    log: yes
  become: yes
  when: ufw_enabled

- name: Allow 6443 in UFW /tcp
  ufw:
    rule: allow
    port: "6443"
    proto: tcp
  become: yes
  when: ufw_enabled

- name: Allow 6443 in UFW udp
  ufw:
    rule: allow
    port: "6443"
    proto: udp
  become: yes
  when: ufw_enabled
Add homeserver to infra 2022-02-24 21:36:07 +01:00			`---`
			`- name: update packages`
			`apt:`
			`update_cache: yes`
			`cache_valid_time: 3600`
			`become: yes`

			`- name: install ufw`
			`apt:`
			`name: ufw`
			`state: present`
			`become: yes`
			`when: ufw_enabled`

			`- name: Allow SSH in UFW`
			`ufw:`
			`rule: allow`
			`port: "{{ ansible_ssh_port }}"`
			`proto: tcp`
			`become: yes`
			`when: ufw_enabled`

			`- name: Allow wireguard port in UFW`
			`ufw:`
			`rule: allow`
			`port: "{{ wireguard_port }}"`
			`proto: udp`
			`become: yes`
			`when: ufw_enabled`

			`- name: Set ufw logging`
			`ufw:`
			`logging: "on"`
			`become: yes`
			`when: ufw_enabled`

			`- name: inter-node Wireguard UFW connectivity`
			`ufw:`
			`rule: allow`
			`src: "{{ hostvars[item].wireguard_ip }}"`
			`with_items: "{{ groups['all'] }}"`
			`become: yes`
			`when: ufw_enabled and item != inventory_hostname`

			`- name: Reject everything and enable UFW`
			`ufw:`
			`state: enabled`
			`policy: reject`
			`log: yes`
			`become: yes`
			`when: ufw_enabled`

			`- name: Allow 6443 in UFW /tcp`
			`ufw:`
			`rule: allow`
			`port: "6443"`
			`proto: tcp`
			`become: yes`
			`when: ufw_enabled`

			`- name: Allow 6443 in UFW udp`
			`ufw:`
			`rule: allow`
			`port: "6443"`
			`proto: udp`
			`become: yes`
			`when: ufw_enabled`