Add ufw role

- Enable ufw and by default deny incoming traffic
- in other roles: if ufw (role) is enabled, then allow necessary ports

roles/lighttpd/tasks/main.json

@@ -27,6 +27,32 @@
 			"dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf"
 		}
 	},
+	{
+		"name": "Check wether enabling UFW would be considered a changed",
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled",
+			"register": "ufw_enable_check"
+		}
+	},
+	{
+		"name": "Allow port 80 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
+	{
+		"name": "Allow port 443 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
 	{
 		"name": "restart service",
 		"become": true,

roles/murmur/tasks/main.json

@@ -25,6 +25,23 @@
 			"cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}"
 		}
 	},
+	{
+		"name": "Check wether enabling UFW would be considered a changed",
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled",
+			"register": "ufw_enable_check"
+		}
+	},
+	{
+		"name": "Allow port in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "{{ var_murmur_port }}",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
 	{
 		"name": "service",
 		"become": true,

roles/nginx/tasks/main.json

@@ -9,6 +9,32 @@
 			]
 		}
 	},
+	{
+		"name": "Check wether enabling UFW would be considered a changed",
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled",
+			"register": "ufw_enable_check"
+		}
+	},
+	{
+		"name": "Allow port 80 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
+	{
+		"name": "Allow port 443 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
 	{
 		"name": "restart service",
 		"become": true,

roles/proftpd/tasks/main.json

@@ -8,5 +8,31 @@
 				"proftpd-core"
 			]
 		}
+	},
+	{
+		"name": "Check wether enabling UFW would be considered a changed",
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled",
+			"register": "ufw_enable_check"
+		}
+	},
+	{
+		"name": "Allow FTP port 20 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "20",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
+	{
+		"name": "Allow FTP port 21 in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "21",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
 	}
 ]

roles/synapse/tasks/main.json

@@ -58,6 +58,23 @@
 			"dest": "/etc/matrix-synapse/homeserver.yaml"
 		}
 	},
+	{
+		"name": "Check wether enabling UFW would be considered a changed",
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled",
+			"register": "ufw_enable_check"
+		}
+	},
+	{
+		"name": "Allow matrix federation port in ufw",
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "8448",
+			"proto": "tcp"
+		},
+		"when": "not ufw_enable_check.changed"
+	},
 	{
 		"name": "restart service",
 		"become": true,

roles/ufw/tasks/main.json

@@ -0,0 +1,41 @@
+[
+	{
+		"name": "install ufw",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"ufw"
+			]
+		}
+	},
+	{
+		"name": "ufw deny incoming",
+		"ufw": {
+			"direction": "incoming",
+			"proto": "any",
+			"policy": "deny"
+		}
+	},
+	{
+		"name": "ufw allow outgoing",
+		"ufw": {
+			"direction": "outgoing",
+			"proto": "any",
+			"policy": "allow"
+		}
+	},
+	{
+		"name": "ufw allow and rate-limit ssh",
+		"ufw": {
+			"rule": "limit",
+			"name": "ssh"
+		}
+	},
+	{
+		"name": "enable ufw service",
+		"ufw": {
+			"state": "enabled"
+		}
+	}
+]