From 29edf2dba87962ca4a1dbfa44d5ed29236a39925 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Sat, 22 Jul 2023 15:47:41 +0200
Subject: [PATCH] Define open ports in global variable file

---
 group_vars/all/vars.yml            | 14 ++++++++++++++
 roles/os_config/tasks/firewall.yml | 22 +++-------------------
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 8c36234..c10c5ec 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -18,3 +18,17 @@ users:
     ssh_keys:
       - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
+
+open_ports:
+  - { port: '22', proto: 'tcp', comment: 'SSH' }
+  - { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
+  - { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' }
+  - { port: '80', proto: 'tcp', comment: 'HTTP' }
+  - { port: '81', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
+  - { port: '443', proto: 'tcp', comment: 'HTTPS' }
+  - { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' }
+  - { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' }
+  - { port: '5001', proto: 'tcp', comment: 'IPFS Kubo RPC API (not port-forwarded)' }
+  - { port: '18080', proto: 'tcp', comment: 'monerod P2P' }
+  - { port: '18089', proto: 'tcp', comment: 'monerod RPC' }
+  - { port: '51820', proto: 'udp', comment: 'Wireguard' }
diff --git a/roles/os_config/tasks/firewall.yml b/roles/os_config/tasks/firewall.yml
index 6da1684..10fe23f 100644
--- a/roles/os_config/tasks/firewall.yml
+++ b/roles/os_config/tasks/firewall.yml
@@ -4,25 +4,9 @@
   community.general.ufw:
     rule: allow
     port: "{{ item.port }}"
-    proto: "{{ item.proto | default('tcp') }}"
-  loop:
-    - port: '22'     # SSH
-    - port: '53'     # Pi-hole (not port-forwarded)
-      proto: tcp
-    - port: '53'     # Pi-hole (not port-forwarded)
-      proto: udp
-    - port: '80'     # HTTP
-    - port: '81'     # Pi-hole (not port-forwarded)
-    - port: '443'    # HTTPS
-    - port: '4001'   # IPFS Kubo P2P
-      proto: tcp
-    - port: '4001'   # IPFS Kubo P2P
-      proto: udp
-    - port: '5001'   # IPFS Kubo RPC API (not port-forwarded)
-    - port: '18080'  # monerod P2P
-    - port: '18089'  # monerod RPC
-    - port: '51820'  # Wireguard
-      proto: udp
+    proto: "{{ item.proto }}"
+    comment: "{{ item.comment }}"
+  loop: "{{ open_ports }}"
 
 - name: Enable UFW
   community.general.ufw: