Post-Tyranny-Tech-Infrastru.../ansible/roles/common/tasks/firewall.yml

---
# UFW firewall configuration

- name: Reset UFW to default state
  community.general.ufw:
    state: reset
  when: ansible_facts['distribution'] == 'Ubuntu'

- name: Set UFW default policies
  community.general.ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  loop:
    - { direction: 'incoming', policy: '{{ common_ufw_default_incoming }}' }
    - { direction: 'outgoing', policy: '{{ common_ufw_default_outgoing }}' }

- name: Allow specified ports through UFW
  community.general.ufw:
    rule: allow
    port: "{{ item.port }}"
    proto: "{{ item.proto }}"
    comment: "{{ item.comment }}"
  loop: "{{ common_ufw_allowed_ports }}"

- name: Enable UFW
  community.general.ufw:
    state: enabled
    logging: 'on'
WIP: Ansible base configuration - common role (#2) Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 14:00:22 +01:00			`---`
			`# UFW firewall configuration`

			`- name: Reset UFW to default state`
			`community.general.ufw:`
			`state: reset`
			`when: ansible_facts['distribution'] == 'Ubuntu'`

			`- name: Set UFW default policies`
			`community.general.ufw:`
			`direction: "{{ item.direction }}"`
			`policy: "{{ item.policy }}"`
			`loop:`
			`- { direction: 'incoming', policy: '{{ common_ufw_default_incoming }}' }`
			`- { direction: 'outgoing', policy: '{{ common_ufw_default_outgoing }}' }`

			`- name: Allow specified ports through UFW`
			`community.general.ufw:`
			`rule: allow`
			`port: "{{ item.port }}"`
			`proto: "{{ item.proto }}"`
			`comment: "{{ item.comment }}"`
			`loop: "{{ common_ufw_allowed_ports }}"`

			`- name: Enable UFW`
			`community.general.ufw:`
			`state: enabled`
			`logging: 'on'`