serverctl/infrastructure/create-resources/ansible/roles/firewall/tasks/main.yml

---
- name: update packages
  apt:
    update_cache: yes
    cache_valid_time: 3600
  become: yes

- name: install ufw
  apt:
    name: ufw
    state: present
  become: yes
  when: ufw_enabled

- name: Allow SSH in UFW
  ufw:
    rule: allow
    port: "{{ ansible_ssh_port }}"
    proto: tcp
  become: yes
  when: ufw_enabled

- name: Allow wireguard port in UFW
  ufw:
    rule: allow
    port: "{{ wireguard_port }}"
    proto: udp
  become: yes
  when: ufw_enabled

- name: Set ufw logging
  ufw:
    logging: "on"
  become: yes
  when: ufw_enabled

- name: inter-node Wireguard UFW connectivity
  ufw:
    rule: allow
    src: "{{ hostvars[item].wireguard_ip }}"
  with_items: "{{ groups['all'] }}"
  become: yes
  when: ufw_enabled and item != inventory_hostname

- name: Reject everything and enable UFW
  ufw:
    state: enabled
    policy: reject
    log: yes
  become: yes
  when: ufw_enabled

- name: Allow 6443 in UFW /tcp
  ufw:
    rule: allow
    port: "6443"
    proto: tcp
  become: yes
  when: ufw_enabled

- name: Allow 6443 in UFW udp
  ufw:
    rule: allow
    port: "6443"
    proto: udp
  become: yes
  when: ufw_enabled