Moved ufw firewall rules into individual roles

README.textile

@@ -151,7 +151,7 @@ For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/gi
 
 h3. 5. Run the Ansible Playbooks
 
-First, make sure you've "got Ansible installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
+First, make sure you've "got Ansible 1.6+ installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
 
 To run the whole dang thing:
 

roles/common/tasks/ufw.yml

@@ -5,24 +5,18 @@
 - name: Install ufw
   apt: pkg=ufw state=present
 
-- name: Set firewall rules
-  command: ufw allow {{ item }}
-  register: ufw_result
-  changed_when: "ufw_result.stdout.startswith('Rule')"
+- name: Set firewall rule for DNS
+  ufw: rule=allow port=domain
+
+- name: Set firewall rule for mosh
+  ufw: rule=allow port=60000:61000 proto=udp
+
+- name: Set firewall rules for web traffic and SSH
+  ufw: rule=allow port={{ item }} proto=tcp
   with_items:
-    - smtp/tcp
-    - domain
-    - http/tcp
-    - https/tcp
-    - ssh/tcp
-    - ssmtp/tcp
-    - pop3s/tcp
-    - imaps/tcp
-    - 5222/tcp  # xmpp c2s
-    - 5269/tcp  # xmpp s2s
-    - 6697/tcp  # znc
-    - "{{ openvpn_port }}/{{ openvpn_protocol }}"
-    - 60000:61000/udp  # mosh udp packets
+    - ssh
+    - http
+    - https
 
 - name: Check status of ufw
   command: ufw status
@@ -35,9 +29,9 @@
   changed_when: False  # never report as "changed"
 
 - name: Disable logging (workaround for known bug in Debian 7)
-  command: ufw logging off
+  ufw: logging=off
   when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
 
 - name: Enable ufw
-  command: ufw --force enable
+  ufw: state=enabled
   when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"

roles/ircbouncer/tasks/znc.yml

@@ -54,5 +54,8 @@
   template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
   when: znc_config.rc != 0
 
+- name: Set firewall rule for znc
+  ufw: rule=allow port=6697 proto=tcp
+
 - name: Ensure znc is a system service
   service: name=znc state=started enabled=true

roles/mailserver/tasks/dovecot.yml

@@ -48,3 +48,9 @@
   file: state=directory path=/etc/dovecot
           group=dovecot owner=vmail mode=770 recurse=yes
   notify: restart dovecot
+
+- name: Set firewall rules for dovecot
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - pop3s
+    - imaps

roles/mailserver/tasks/postfix.yml

@@ -49,3 +49,9 @@
     - pgsql-virtual-mailbox-maps.cf
     - pgsql-virtual-alias-maps.cf
   notify: restart postfix
+
+- name: Set firewall rules for postfix
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - smtp
+    - ssmtp

roles/vpn/tasks/openvpn.yml

@@ -131,6 +131,9 @@
     - iptables -A FORWARD -j REJECT
     - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
 
+- name: Allow OpenVPN through ufw
+  ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
+
 - name: Copy OpenVPN configuration file into place
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
   notify: restart openvpn

roles/xmpp/tasks/prosody.yml

@@ -20,3 +20,9 @@
 - name: Create Prosody accounts
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
   with_items: prosody_accounts
+
+- name: Set firewall rules for Prosody
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - 5222  # xmpp c2s
+    - 5269  # xmpp s2s