Add the ufw firewall

roles/base/tasks/firewall.yml

@@ -0,0 +1,23 @@
+- name: Install the Uncomplicated Firewall
+  apt:
+    name: ufw
+    state: present
+
+- name: Deny incoming traffic by default
+  ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow outgoing traffic by default
+  ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow OpenSSH with rate limiting
+  ufw:
+    name: ssh
+    rule: limit
+
+- name: Enable firewall
+  ufw:
+    state: enabled

roles/base/tasks/main.yml

@@ -4,6 +4,9 @@
 - import_tasks: system.yml
   tags: system
 
+- import_tasks: firewall.yml
+  tags: firewall
+
 - import_tasks: network.yml
   tags: network
   when: manage_network

roles/postgresql/tasks/main.yml

@@ -32,3 +32,10 @@
     name: postgresql
     state: restarted
   when: postgresql_config.changed
+
+- name: Allow database connections from Docker
+  ufw:
+    rule: allow
+    port: "5432"
+    proto: tcp
+    src: "172.16.0.0/12"

roles/proxy/tasks/main.yml

@@ -84,3 +84,12 @@
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
   notify: reload_nginx
+
+- name: Add HTTP and HTTPS firewall rule
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"