RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: resolve UFW ansible-lint failures and deploy error (#11)

Browse source 
- Fix 'interface_or_direction' → 'direction' (required param for ufw module)
- Rename ufw_enabled/ufw_allowed_ports → common_ufw_enabled/common_ufw_allowed_ports (role prefix convention)
- Fix yaml[braces] violations in helsinki-a host_vars
This commit is contained in:
Rasmus Wejlgaard 2026-03-29 10:53:54 +01:00 committed by GitHub
parent 4554dec7d2
commit f9d0a7ebf4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 17 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ansible/inventory/host_vars/helsinki-a.yml
View file

@ -10,6 +10,6 @@ docker_services:
- forgejo - forgejo
- bitwarden - bitwarden
ufw_allowed_ports: common_ufw_allowed_ports:
- {port: 80, proto: tcp, comment: "HTTP"} - {port: 80, proto: tcp, comment: "HTTP"}
- {port: 443, proto: tcp, comment: "HTTPS"} - {port: 443, proto: tcp, comment: "HTTPS"}

6
ansible/roles/common/defaults/main.yml
View file

@ -1,7 +1,7 @@
--- ---
# UFW firewall defaults # UFW firewall defaults
# Override ufw_allowed_ports in host_vars for public-facing services. # Override common_ufw_allowed_ports in host_vars for public-facing services.
ufw_enabled: true common_ufw_enabled: true
ufw_allowed_ports: [] common_ufw_allowed_ports: []
# - {port: 80, proto: tcp, comment: "HTTP"} # - {port: 80, proto: tcp, comment: "HTTP"}
# - {port: 443, proto: tcp, comment: "HTTPS"} # - {port: 443, proto: tcp, comment: "HTTPS"}

18
ansible/roles/common/tasks/main.yml
View file

@ -109,7 +109,7 @@
default: deny default: deny
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool
notify: Reload ufw notify: Reload ufw
- name: Set UFW default allow outgoing - name: Set UFW default allow outgoing
@ -118,18 +118,18 @@
default: allow default: allow
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool
notify: Reload ufw notify: Reload ufw
- name: Allow all traffic on Tailscale interface - name: Allow all traffic on Tailscale interface
community.general.ufw: community.general.ufw:
rule: allow rule: allow
interface_or_direction: in direction: in
interface: tailscale0 interface: tailscale0
comment: "Tailscale mesh - allow all" comment: "Tailscale mesh - allow all"
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool
notify: Reload ufw notify: Reload ufw
- name: Allow SSH (safety net) - name: Allow SSH (safety net)
@ -140,7 +140,7 @@
comment: "SSH" comment: "SSH"
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool
notify: Reload ufw notify: Reload ufw
- name: Allow host-specific ports - name: Allow host-specific ports
@ -149,11 +149,11 @@
port: "{{ item.port | string }}" port: "{{ item.port | string }}"
proto: "{{ item.proto | default('tcp') }}" proto: "{{ item.proto | default('tcp') }}"
comment: "{{ item.comment | default(omit) }}" comment: "{{ item.comment | default(omit) }}"
loop: "{{ ufw_allowed_ports }}" loop: "{{ common_ufw_allowed_ports }}"
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool
- ufw_allowed_ports | length > 0 - common_ufw_allowed_ports | length > 0
notify: Reload ufw notify: Reload ufw
- name: Enable UFW - name: Enable UFW
@ -161,4 +161,4 @@
state: enabled state: enabled
when: when:
- ansible_facts["os_family"] == "Debian" - ansible_facts["os_family"] == "Debian"
- ufw_enabled | bool - common_ufw_enabled | bool