- name: Install packages community.general.pacman: name: - ufw - name: Deny all ports by default community.general.ufw: policy: deny - name: Set default sources (bastion server) set_fact: default_firewall_src: any when: '"bastion" in group_names' - name: Set default sources (fleet server) set_fact: default_firewall_src: "{{ bastion_vpn_ip if wireguard_services else bastion_ip }}" when: '"fleet" in group_names' - name: Configure service interface set_fact: service_firewall_if: "{{ wireguard_interface if wireguard_services else omit }}" when: 'wireguard_services' - name: Allow service ports community.general.ufw: rule: allow port: "{{ item.port }}" proto: "{{ item.proto | default('tcp') }}" # service -> VPN interface if available, else default interface_in: "{{ service_firewall_if if (item.interface | default('')) == 'service' else item.interface | default(omit) }}" src: "{{ item.src | default(default_firewall_src) }}" when: item.name in group_names with_items: # matrix ports - name: "bastion" port: 8448 - name: "synapse" port: 8008 interface: service # navidrome api/web interface - name: "navidrome" port: 4533 interface: service - name: "paperless" port: 8000 interface: service - name: "syncthing" port: 22000 proto: any src: "{{ local_subnet }}" - name: "sshd" port: "{{ sshd_port }}" src: "{{ 'any' if 'bastion' in group_names else local_subnet }}" # gitea sshd - name: "bastion" port: 2499 - name: "gitea" port: 2498 interface: service # gitea http - name: "gitea" port: 3000 interface: service - name: "caddy" port: 80 - name: "caddy" port: 443 - name: "nameserver" port: domain proto: any src: "{{ local_subnet }}" - name: "wireguard" port: "{{ wireguard.ip.port | default('51820') }}" proto: udp src: any - name: Enable UFW community.general.ufw: state: enabled - name: Enable firewall service service: name: ufw state: started enabled: yes