outsourcing

playbooks/nginx/nginx.yml

@@ -28,6 +28,14 @@
         group: root
         mode: '0644'
 
+    - name: Copy html content
+      ansible.builtin.copy:
+        src: www/
+        dest: /var/www
+        owner: www-data
+        group: www-data
+        mode: '0644'
+
     - name: Restart nginx
       ansible.builtin.service:
         name: nginx

playbooks/ufw/ufw.yml

@@ -17,41 +17,25 @@
         port: "22"
         proto: tcp
 
-    - name: UFW - Allow TCP in
+    - name: UFW - Allow backup SSH
+      community.general.ufw:
+        rule: allow
+        port: "4444"
+        proto: tcp
+
+    - name: UFW - Allow tcp in
       community.general.ufw:
         rule: allow
         port: '{{ item }}'
         proto: tcp
       loop:
-        - "80"
         - "139" # samba
-        - "443"
         - "445" # samba
-        - "8448" # matrix federation
+        - "80"
+        - "443"
+        - "2222"
 
-    - name: UFW - Allow TCP forward
-      community.general.ufw:
-        rule: allow
-        port: '{{ item }}'
-        proto: tcp
-        route: true
-      loop:
-        - "25" # mail
-        - "465" # mail
-        - "587" # mail
-        - "993" # mail
-        - "2222" # gitbee ssh
-        - "8448" # matrix federation
-
-    - name: UFW - Allow SMTP return
-      community.general.ufw:
-        rule: allow
-        route: true
-        interface_in: wg0
-        proto: tcp
-        to_port: "25"
-
-    - name: UFW - Allow UDP in
+    - name: UFW - Allow udp in
       community.general.ufw:
         rule: allow
         port: '{{ item }}'
@@ -60,6 +44,33 @@
         - "137" # samba
         - "138" # samba
 
+    - name: UFW - Allow wireguard ingress tcp
+      community.general.ufw:
+        rule: allow
+        interface_in: wg0
+        proto: tcp
+        to_port: '{{ item }}'
+      loop:
+        - "80"
+        - "443"
+        - "4444" # backup ssh
+        - "8448" # matrix federation
+
+    - name: UFW - Allow wireguard routing tcp
+      community.general.ufw:
+        rule: allow
+        interface_in: wg0
+        route: true
+        proto: tcp
+        to_port: '{{ item }}'
+      loop:
+        - "25" # mail
+        - "465" # mail
+        - "587" # mail
+        - "993" # mail
+        - "2222" # gitbee ssh
+        - "8448" # matrix federation
+
     - name: UFW - Limiting
       community.general.ufw:
         rule: limit
@@ -85,11 +96,6 @@
         proto: "udp"
         to_port: 53
 
-    - name: UFW - Allow wireguard incoming
-      community.general.ufw:
-        rule: allow
-        interface_in: wg0
-
     - name: UFW - Allow wireguard outgoing
       community.general.ufw:
         rule: allow
@@ -102,34 +108,6 @@
         interface_out: wg0
         route: true
 
-    - name: UFW - Allow wireguard to local network
-      community.general.ufw:
-        rule: allow
-        interface_in: wg0
-        interface_out: eth0
-        route: true
-
-    - name: UFW - Allow wireguard to podman
-      community.general.ufw:
-        rule: allow
-        interface_in: wg0
-        interface_out: podman+
-        route: true
-
-    - name: UFW - Allow podman to wireguard
-      community.general.ufw:
-        rule: allow
-        interface_in: podman+
-        interface_out: wg0
-        route: true
-
-    - name: UFW - Allow local network to wireguard
-      community.general.ufw:
-        rule: allow
-        interface_in: eth0
-        interface_out: wg0
-        route: true
-
     - name: UFW - Allow local network to podman
       community.general.ufw:
         rule: allow