homeserver-ansible/roles/firewall/tasks/main.yml

- name: Install packages
  community.general.pacman:
    name:
      - ufw

- name: Deny all ports by default
  community.general.ufw:
    policy: deny

- name: Allow Matrix federation port
  community.general.ufw:
    rule: allow
    port: 8448
    proto: tcp
    state: enabled
  when: enable_synapse

- name: Allow Syncthing port
  community.general.ufw:
    rule: allow
    port: 22000
    proto: any
    state: enabled
  when: enable_syncthing

- name: Allow http/https ports
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
    state: enabled
  when: enable_webserver
  with_items:
    - http
    - https

- name: Allow coturn ports (turn/turns)
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    state: enabled
  when: enable_coturn
  with_items:
    - turn
    - turns

- name: Allow coturn UDP relay ports
  community.general.ufw:
    rule: allow
    port: "49152:65535"
    proto: udp
    state: enabled
  when: enable_coturn

- name: Allow coturn TCP relay ports
  community.general.ufw:
    rule: allow
    port: "49152:65535"
    proto: tcp
    state: enabled
  when: enable_coturn

- name: Allow ssh port
  community.general.ufw:
    rule: allow
    port: "{{ sshd_port }}"
    proto: tcp
    state: enabled

- name: Allow gitea ssh port
  community.general.ufw:
    rule: allow
    port: "2499"
    proto: tcp
    state: enabled

- name: Allow DNS port to LAN
  community.general.ufw:
    rule: allow
    port: domain
    proto: any
    state: enabled
    src: "{{ local_subnet }}"
  when: enable_nameserver

- name: Enable firewall service
  service:
    name: ufw
    state: started
    enabled: yes