fix: resolve UFW ansible-lint failures and deploy error

- Fix 'interface_or_direction' → 'direction' (required param for ufw module) - Rename ufw_enabled/ufw_allowed_ports → common_ufw_enabled/common_ufw_allowed_ports (role prefix convention) - Fix yaml[braces] violations in helsinki-a host_vars
2026-05-06 04:14:43 +00:00 · 2026-03-29 09:51:48 +00:00 · 2026-03-29 09:51:48 +00:00 · cb6aaf472f
commit cb6aaf472f
parent 4554dec7d2
3 changed files with 17 additions and 17 deletions
--- a/ansible/inventory/host_vars/helsinki-a.yml
+++ b/ansible/inventory/host_vars/helsinki-a.yml
@ -10,6 +10,6 @@ docker_services:
  - forgejo
  - bitwarden

-ufw_allowed_ports:
-  - { port: 80, proto: tcp, comment: "HTTP" }
-  - { port: 443, proto: tcp, comment: "HTTPS" }
+common_ufw_allowed_ports:
+  - {port: 80, proto: tcp, comment: "HTTP"}
+  - {port: 443, proto: tcp, comment: "HTTPS"}
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 # UFW firewall defaults
-# Override ufw_allowed_ports in host_vars for public-facing services.
-ufw_enabled: true
-ufw_allowed_ports: []
-#   - { port: 80, proto: tcp, comment: "HTTP" }
-#   - { port: 443, proto: tcp, comment: "HTTPS" }
+# Override common_ufw_allowed_ports in host_vars for public-facing services.
+common_ufw_enabled: true
+common_ufw_allowed_ports: []
+#   - {port: 80, proto: tcp, comment: "HTTP"}
+#   - {port: 443, proto: tcp, comment: "HTTPS"}
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -109,7 +109,7 @@
    default: deny
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
  notify: Reload ufw

 - name: Set UFW default allow outgoing
@ -118,18 +118,18 @@
    default: allow
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
  notify: Reload ufw

 - name: Allow all traffic on Tailscale interface
  community.general.ufw:
    rule: allow
-    interface_or_direction: in
+    direction: in
    interface: tailscale0
    comment: "Tailscale mesh - allow all"
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
  notify: Reload ufw

 - name: Allow SSH (safety net)
@ -140,7 +140,7 @@
    comment: "SSH"
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
  notify: Reload ufw

 - name: Allow host-specific ports
@ -149,11 +149,11 @@
    port: "{{ item.port | string }}"
    proto: "{{ item.proto | default('tcp') }}"
    comment: "{{ item.comment | default(omit) }}"
-  loop: "{{ ufw_allowed_ports }}"
+  loop: "{{ common_ufw_allowed_ports }}"
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
-    - ufw_allowed_ports | length > 0
+    - common_ufw_enabled | bool
+    - common_ufw_allowed_ports | length > 0
  notify: Reload ufw

 - name: Enable UFW
@ -161,4 +161,4 @@
    state: enabled
  when:
    - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool