- name: Nginx
  hosts: pi
  become: true
  tasks:
    - name: Install ufw
      ansible.builtin.apt:
        name: ufw
        state: present

    - name: Logging
      community.general.ufw:
        logging: "medium"

    - name: UFW - Allow SSH
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp

    - name: UFW - Allow backup SSH
      community.general.ufw:
        rule: allow
        port: "4444"
        proto: tcp

    - name: UFW - Allow tcp in
      community.general.ufw:
        rule: allow
        port: '{{ item }}'
        proto: tcp
      loop:
        - "139" # samba
        - "445" # samba
        - "80"
        - "443"
        - "2222"

    - name: UFW - Allow udp in
      community.general.ufw:
        rule: allow
        port: '{{ item }}'
        proto: udp
      loop:
        - "137" # samba
        - "138" # samba

    - name: UFW - Allow wireguard ingress tcp
      community.general.ufw:
        rule: allow
        interface_in: wg0
        proto: tcp
        to_port: '{{ item }}'
      loop:
        - "80"
        - "443"
        - "4444" # backup ssh
        - "8448" # matrix federation

    - name: UFW - Allow wireguard routing tcp
      community.general.ufw:
        rule: allow
        interface_in: wg0
        route: true
        proto: tcp
        to_port: '{{ item }}'
      loop:
        - "25" # mail
        - "465" # mail
        - "587" # mail
        - "993" # mail
        - "2222" # gitbee ssh
        - "8448" # matrix federation

    - name: UFW - Limiting
      community.general.ufw:
        rule: limit
        port: '{{ item }}'
        proto: tcp
        route: true
      loop:
        - "465" # mail
        - "587" # mail
        - "993" # mail

    - name: UFW - Allow podman forwarding
      community.general.ufw:
        rule: allow
        interface_in: podman+
        interface_out: podman+
        route: true

    - name: UFW - Enable DNS from podman
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "udp"
        to_port: 53

    - name: UFW - Allow wireguard outgoing
      community.general.ufw:
        rule: allow
        interface_out: wg0

    - name: UFW - Allow wireguard forwarding
      community.general.ufw:
        rule: allow
        interface_in: wg0
        interface_out: wg0
        route: true

    - name: UFW - Allow local network to podman
      community.general.ufw:
        rule: allow
        interface_in: eth0
        interface_out: podman+
        route: true

    - name: UFW - Allow podman to local network
      community.general.ufw:
        rule: allow
        interface_in: podman+
        interface_out: eth0
        route: true

    - name: UFW - Allow node exporter scraping
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "tcp"
        to_port: 9100

    - name: UFW - Allow podman exporter scraping
      community.general.ufw:
        rule: allow
        interface_in: podman+
        proto: "tcp"
        to_port: 9882

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

    - name: UFW - Reload firewall
      changed_when: true
      ansible.builtin.command: ufw reload