[a] better firewall rule defining

roles/secure/defaults/main.yml

@@ -1,12 +1,17 @@
 # Make a full system upgrade (using apt-get full-upgrade)
 common_full_upgrade: false
+common_allow_restart: false # allow restarting after update
 
 # Install and configure UFW Firewall on the system
 common_firewall_enable: true
 common_firewall_reject: false # reject all connections by default
-common_firewall_ssh: true # allow ssh connections
-common_firewall_https: false # allow https connections
-common_firewall_http: false # allow http connections
+
+# Default Firewall Rules
+common_firewall:
+  - port: 22
+    state: allow
+    interface: "{{ common_firewall_lan_interface if common_firewall_lan_interface }}"
+    comment: "Allow incoming connections on {{ common_firewall_lan_interface if common_firewall_lan_interface else 'all interfaces' }}"
 
 # Configure SSH to only accept SSH Keys
 common_ssh_configure: true

roles/secure/handlers/main.yml

@@ -1,3 +1,8 @@
+---
+- name: reboot system
+  ansible.builtin.reboot:
+  when: common_allow_restart
+
 - name: restart ssh
   ansible.builtin.service:
     name: sshd

roles/secure/tasks/main.yml

@@ -6,18 +6,18 @@
     update_cache: true
     upgrade: full
   when: common_full_upgrade
+  notify: reboot system
 
 - name: Install UFW Firewall
   ansible.builtin.apt:
     name: ufw
-    # update_cache: true
     state: present
   when: common_firewall_enable
 
 - name: Enable UFW
   community.general.ufw:
     state: enabled
-    logging: 'on'
+    logging: "on"
   when: common_firewall_enable
 
 - name: Disable UFW Firewall
@@ -26,35 +26,27 @@
     state: absent
   when: not common_firewall_enable
 
-- name: Reject incoming connections by default
+- name: Reject incoming connections on WAN interface by default
   community.general.ufw:
-    policy: reject
-    comment: 'Reject all by default'
-  when: common_firewall_reject and common_firewall_enable
+    default: reject
+    direction: incoming
+    interface: "{{ common_firewall_wan_interface }}"
+  when:
+    - common_firewall_reject
+    - common_firewall_enable
+    - common_firewall_wan_interface
 
-- name: Allow SSH Connections
+- name: Configure firewall rules
   community.general.ufw:
-    rule: limit
-    port: ssh
-    proto: tcp
-    comment: 'Allow SSH'
-  when: common_firewall_ssh and common_firewall_enable
-
-- name: Allow HTTPS Connections
-  community.general.ufw:
-    rule: allow
-    port: https
-    proto: tcp
-    comment: 'Allow HTTPS'
-  when: common_firewall_https and common_firewall_enable
-
-- name: Allow HTTP Connections
-  community.general.ufw:
-    rule: allow
-    port: http
-    proto: tcp
-    comment: 'Allow HTTP'
-  when: common_firewall_http and common_firewall_enable
+    port: "{{ rule.port }}"
+    rule: "{{ rule.state | default('allow') }}"
+    proto: "{{ rule.protocol | default('tcp') }}"
+    interface: "{{ rule.interface if rule.interface != 'all' else omit }}"
+    comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"
+  loop: "{{ common_firewall | default([]) }}"
+  loop_control:
+    loop_var: rule
+  when: common_firewall_enable
 
 - name: Install sudo
   ansible.builtin.apt:
@@ -69,7 +61,7 @@
     line: "{{ ssh_config_entry.line }}"
     state: present
   loop:
-    - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
+    - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
   loop_control:
     loop_var: ssh_config_entry
   notify: restart ssh
@@ -88,18 +80,3 @@
   ansible.builtin.user:
     name: root
     password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
-
-# - name: Configure SSH to disallow root login
-#   ansible.builtin.lineinfile:
-#     path: /etc/ssh/sshd_config
-#     regexp: '^PermitRootLogin'
-#     line: 'PermitRootLogin no'
-#     state: present
-#   notify: restart ssh
-#   when: common_ssh_configure
-
-# - name: Disable root shell
-#   ansible.builtin.user:
-#     name: root
-#     shell: /usr/sbin/nologin
-#   when: common_disable_root