From a5e85742a0e323644479d455370aacffb6486299 Mon Sep 17 00:00:00 2001
From: DogeyStamp <dogeystamp@disroot.org>
Date: Tue, 1 Mar 2022 17:56:41 -0500
Subject: [PATCH] Only open enabled services in firewall

---
 roles/firewall/tasks/main.yml | 25 +++++++++++++++++------
 tasks/user_config.yml         | 38 -----------------------------------
 2 files changed, 19 insertions(+), 44 deletions(-)
 delete mode 100644 tasks/user_config.yml

diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 2fe2f3c..da6754a 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -7,27 +7,40 @@
   community.general.ufw:
     policy: deny
 
-- name: Allow service ports
+- name: Allow Matrix federation port
+  community.general.ufw:
+    rule: allow
+    port: 8448
+    proto: tcp
+    state: enabled
+  when: enable_synapse
+
+- name: Allow http/https ports
   community.general.ufw:
     rule: allow
     port: "{{ item }}"
     proto: tcp
     state: enabled
-
+  when: enable_webserver
   with_items:
-    - "{{ sshd_port }}"
     - http
     - https
-    # Matrix federation port
-    - 8448
+
+- name: Allow ssh port
+  community.general.ufw:
+    rule: allow
+    port: "{{ sshd_port }}"
+    proto: tcp
+    state: enabled
 
 - name: Allow DNS port to LAN
   community.general.ufw:
     rule: allow
-    port: 53
+    port: domain
     proto: any
     state: enabled
     src: "{{ local_subnet }}"
+  when: enable_nameserver
 
 - name: Enable firewall service
   service:
diff --git a/tasks/user_config.yml b/tasks/user_config.yml
deleted file mode 100644
index 2ba039f..0000000
--- a/tasks/user_config.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-- name: Fetch dotfiles
-  git:
-    repo: "{{ dots_repo }}"
-    dest: "/srv/dots/"
-  register: dotfiles
-
-- name: Create list of users to configure
-  set_fact:
-    users:
-      - "{{ ansible_user }}"
-      - "{{ username }}"
-
-- name: Remove existing dotfiles
-  file:
-    path: "/home/{{ item }}/.bashrc"
-    state: absent
-  with_items: "{{ users }}"
-  when: dotfiles.changed
-
-- name: Copy dotfiles
-  copy:
-    remote_src: yes
-    src: /srv/dots/
-    dest: "/home/{{ item }}/dots/"
-    owner: "{{ item }}"
-    group: "{{ item }}"
-  with_items: "{{ users }}"
-  when: dotfiles.changed
-
-- name: Deploy dotfiles on login
-  template:
-    src: templates/.bash_profile.j2
-    dest: "/home/{{ item }}/.bash_profile"
-    owner: "{{ item }}"
-    group: "{{ item }}"
-    force: yes
-  with_items: "{{ users }}"
-  when: dotfiles.changed