Add the ufw firewall

2022-05-27 16:29:27 -04:00 · 2022-05-27 16:29:27 -04:00 · 45465ad26b
commit 45465ad26b
parent d7838563a1
4 changed files with 42 additions and 0 deletions
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@ -0,0 +1,23 @@
+- name: Install the Uncomplicated Firewall
+  apt:
+    name: ufw
+    state: present
+
+- name: Deny incoming traffic by default
+  ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow outgoing traffic by default
+  ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow OpenSSH with rate limiting
+  ufw:
+    name: ssh
+    rule: limit
+
+- name: Enable firewall
+  ufw:
+    state: enabled
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -4,6 +4,9 @@
 - import_tasks: system.yml
  tags: system

+- import_tasks: firewall.yml
+  tags: firewall
+
 - import_tasks: network.yml
  tags: network
  when: manage_network
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@ -32,3 +32,10 @@
    name: postgresql
    state: restarted
  when: postgresql_config.changed
+
+- name: Allow database connections from Docker
+  ufw:
+    rule: allow
+    port: "5432"
+    proto: tcp
+    src: "172.16.0.0/12"
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -84,3 +84,12 @@
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx
+
+- name: Add HTTP and HTTPS firewall rule
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"