Switch to firewalld as it's compatible with Docker

host_vars/sapt-labp-app01.yml

@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 fqdn: sapt-labp-app01.prod.servers.sapti.me
-private_ip: 10.2.16.10
+internal_ipv4: 10.2.16.10
 
 apps_include:
   - nginx

host_vars/sapt-labp-app02.yml

@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 fqdn: sapt-labp-app02.prod.servers.sapti.me
-private_ip: 10.2.16.11
+internal_ipv4: 10.2.16.11
 
 apps_include:
   - nginx

host_vars/sapt-labp-db01.yml

@@ -2,4 +2,4 @@
 # code: language=ansible
 ---
 fqdn: sapt-labp-db01.prod.servers.sapti.me
-private_ip: 10.2.16.20
+internal_ipv4: 10.2.16.20

host_vars/sapt-labr-mon01.yml

@@ -2,4 +2,4 @@
 # code: language=ansible
 ---
 fqdn: sapt-labr-mon01.shrd.servers.sapti.me
-private_ip: 10.2.18.20
+internal_ipv4: 10.2.18.20

host_vars/sapt-labr-prx01.yml

@@ -2,6 +2,6 @@
 # code: language=ansible
 ---
 fqdn: sapt-labr-prx01.shrd.servers.sapti.me
-private_ip: 10.2.18.10
+internal_ipv4: 10.2.18.10
 
 proxy_mode: global

host_vars/sapt-labr-prx02.yml

@@ -2,6 +2,6 @@
 # code: language=ansible
 ---
 fqdn: sapt-labr-prx02.shrd.servers.sapti.me
-private_ip: 10.2.18.11
+internal_ipv4: 10.2.18.11
 
 proxy_mode: local

host_vars/sapt-labs-app01.yml

@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 fqdn: sapt-labs-app01.stage.servers.sapti.me
-private_ip: 10.2.19.10
+internal_ipv4: 10.2.19.10
 
 apps_include:
   - nginx

host_vars/sapt-labs-app02.yml

@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 fqdn: sapt-labs-app02.stage.servers.sapti.me
-private_ip: 10.2.19.11
+internal_ipv4: 10.2.19.11
 
 apps_include:
   - nginx

host_vars/sapt-labs-db01.yml

@@ -2,4 +2,4 @@
 # code: language=ansible
 ---
 fqdn: sapt-labs-db01.stage.servers.sapti.me
-private_ip: 10.2.19.20
+internal_ipv4: 10.2.19.20

roles/apps/templates/compose-files/ipfs.yml.j2

@@ -14,8 +14,8 @@ services:
         aliases:
           - ipfs
     ports:
-      - 4001:4001/tcp
-      - 4001:4001/udp
+      - {{ ansible_hostname }}:4001:4001/tcp
+      - {{ ansible_hostname }}:4001:4001/udp
     volumes:
       - "./data/ipfs-config.sh:/container-init.d/ipfs-config.sh:ro"
       - "./data/data:/data/ipfs:rw"

roles/apps/templates/compose-files/monerod.yml.j2

@@ -10,7 +10,7 @@ services:
         aliases:
           - monerod
     ports:
-      - 18080:18080/tcp
+      - {{ ansible_hostname }}:18080:18080/tcp
     volumes:
       - "./data:/home/monero/.bitmonero:rw"
 

roles/apps/templates/compose-files/nginx.yml.j2

@@ -8,7 +8,7 @@ services:
     networks:
       - {{ apps_shared_docker_network }}
     ports:
-      - 8080:8080/tcp
+      - {{ internal_ipv4 }}:8080:8080/tcp
     volumes:
       - "./data/conf.d:/etc/nginx/conf.d:ro"
 

roles/common/tasks/base.yml

@@ -35,12 +35,18 @@
         state: present
       notify: Restart systemd-resolved
 
-- name: Install packages via apt
+- name: Ensure UFW is absent
+  ansible.builtin.apt:
+    name: ufw
+    state: absent
+
+- name: Install system packages
   ansible.builtin.apt:
     name: "{{ pkgs }}"
+    update_cache: true
     state: present
   vars:
     pkgs:
       - apparmor
       - haveged
-      - ufw
+      - firewalld

roles/common/tasks/firewall.yml

@@ -1,15 +1,82 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Allow necessary ports in UFW
-  community.general.ufw:
-    to_port: "{{ item.port }}"
-    proto: "{{ item.proto }}"
-    comment: "{{ item.comment }}"
-    rule: allow
-  loop: "{{ open_ports }}"
-
-- name: Enable UFW
-  community.general.ufw:
-    policy: deny
+- name: Move DMZ network to zone 'dmz'
+  ansible.posix.firewalld:
+    zone: dmz
+    source: 192.168.17.0/24
+    permanent: true
+    immediate: true
     state: enabled
+
+- name: Move interface 'eth1' to zone 'internal'
+  ansible.posix.firewalld:
+    zone: internal
+    interface: eth1
+    permanent: true
+    immediate: true
+    state: enabled
+
+# Until sapt-labx-ctl01 is deployed
+- name: Allow incoming connections from main LAN to SSH port
+  ansible.posix.firewalld:
+    zone: dmz
+    source: 192.168.1.0/24
+    service: ssh
+    permanent: true
+    immediate: true
+    state: enabled
+  when: true
+
+# When sapt-labx-ctl01 is deployed
+- name: Allow incoming connections from jump host to SSH port
+  ansible.posix.firewalld:
+    zone: dmz
+    source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
+    service: ssh
+    permanent: true
+    immediate: true
+    state: enabled
+  when: false
+
+- name: Firewall rules for group 'control_infra'
+  when: hostname in groups['control_infra']
+  block:
+    - name: Allow incoming connections from main LAN to SSH port
+      ansible.posix.firewalld:
+        zone: dmz
+        source: 192.168.1.0/24
+        service: ssh
+        permanent: true
+        immediate: true
+        state: enabled
+
+    - name: Allow incoming connections from LAN to DNS port
+      ansible.posix.firewalld:
+        zone: dmz
+        source: 192.168.0.0/16
+        port: 53/{{ item }}
+        permanent: true
+        immediate: true
+        state: enabled
+      loop:
+        - tcp
+        - udp
+
+- name: Firewall rules for production and staging
+  loop:
+    - prod
+    - stage
+  loop_control:
+    loop_var: env
+  block:
+    - name: Allow incoming connections from app servers to PostgreSQL
+      ansible.posix.firewalld:
+        zone: internal
+        source: "{{ hostvars[item].internal_ipv4 }}"
+        port: 5432/tcp
+        permanent: true
+        immediate: true
+        state: enabled
+      loop: "{{ groups['app_' + env] }}"
+      when: hostname in groups['db_' + env]

roles/common/templates/etc/hosts.j2

@@ -13,7 +13,7 @@ ff02::3 ip6-allhosts
 {% if hostname in groups['virtualservers'] %}
 # Static hostnames for other VMs
 {% for host in groups['virtualservers'] %}
-{{ hostvars[host].private_ip }} {{ hostvars[host].fqdn }}
+{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
 {% endfor %}
 {% elif hostname in groups['control_infra'] %}
 # Static hostnames for VM hosts