- name: Nginx
  hosts: pi
  become: true
  tasks:
    - name: Install ufw
      ansible.builtin.apt:
        name: ufw
        state: present

    - name: Logging
      community.general.ufw:
        logging: "low"

    - name: Allow SSH
      community.general.ufw:
        rule: allow
        name: OpenSSH
        route: true

    - name: Allow samba
      community.general.ufw:
        rule: allow
        name: samba
        route: true

    - name: Allow Mail
      community.general.ufw:
        rule: allow
        port: '{{ item }}'
        proto: tcp
      loop:
        - "465"
        - "25"
        - "587"
        - "110"
        - "995"
        - "143"
        - "993"

    - name: UFW - Allow HTTP connections
      community.general.ufw:
        rule: allow
        port: "80"
        proto: tcp
        route: true

    - name: UFW - Allow HTTPS connections
      community.general.ufw:
        rule: allow
        port: "443"
        proto: tcp
        route: true

    - name: UFW - Allow gitbee ssh
      community.general.ufw:
        rule: allow
        port: "2222"
        proto: tcp
        route: true

    - name: UFW - Allow matrix federation
      community.general.ufw:
        rule: allow
        port: "8448"
        proto: tcp
        route: true

    - name: UFW - Allow podman forwarding
      community.general.ufw:
        rule: allow
        interface_in: podman+
        interface_out: podman+
        route: true

    - name: UFW - Allow wireguard incoming
      community.general.ufw:
        rule: allow
        interface_in: wg0

    - name: UFW - Allow wireguard outgoing
      community.general.ufw:
        rule: allow
        interface_out: wg0

    - name: UFW - Allow wireguard forwarding
      community.general.ufw:
        rule: allow
        interface_in: wg0
        interface_out: wg0
        route: true

    - name: UFW - Allow wireguard to local network
      community.general.ufw:
        rule: allow
        interface_in: wg0
        interface_out: eth0
        route: true

    - name: UFW - Allow wireguard to podman
      community.general.ufw:
        rule: allow
        interface_in: wg0
        interface_out: podman+
        route: true

    - name: UFW - Allow podman to wireguard
      community.general.ufw:
        rule: allow
        interface_in: podman+
        interface_out: wg0
        route: true

    - name: UFW - Allow local network to wireguard
      community.general.ufw:
        rule: allow
        interface_in: eth0
        interface_out: wg0
        route: true

    - name: UFW - Allow podman forwarding 2
      community.general.ufw:
        rule: allow
        interface_in: eth0
        interface_out: podman+
        route: true

    - name: UFW - Allow podman forwarding 3
      community.general.ufw:
        rule: allow
        interface_in: podman+
        interface_out: eth0
        route: true

    - name: UFW - Enable DNS
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "udp"
        to_port: 53

    - name: UFW - Allow node exporter scraping
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "tcp"
        to_port: 9100

    - name: UFW - Allow podman exporter scraping
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "tcp"
        to_port: 9882

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

    - name: UFW - Reload firewall
      changed_when: true
      ansible.builtin.command: ufw reload