CIS + inital

roles/secure_firewall/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+# Secure Firewall Role - Main Tasks
+
+- name: Include UFW firewall tasks
+  ansible.builtin.include_tasks: ufw.yml
+  when: firewall_backend == "ufw"
+
+- name: Include VPN-only access tasks
+  ansible.builtin.include_tasks: vpn_only.yml
+  when: vpn_only_mode | bool

roles/secure_firewall/tasks/ufw.yml

@@ -0,0 +1,46 @@
+---
+# UFW Firewall Configuration Tasks
+
+- name: Ensure UFW is installed
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+
+- name: Reset UFW to default state
+  community.general.ufw:
+    state: reset
+  when: firewall_reset | default(false) | bool
+
+- name: Set UFW default policies
+  community.general.ufw:
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - { direction: 'incoming', policy: "{{ firewall_default_input_policy }}" }
+    - { direction: 'outgoing', policy: "{{ firewall_default_output_policy }}" }
+    - { direction: 'routed', policy: "{{ firewall_default_forward_policy }}" }
+
+- name: Allow public ports (unrestricted)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+    comment: "{{ item.comment }}"
+  loop: "{{ public_ports }}"
+
+- name: Configure UFW logging
+  community.general.ufw:
+    logging: "{{ firewall_logging }}"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Display firewall status
+  ansible.builtin.command: ufw status verbose
+  register: ufw_status
+  changed_when: false
+
+- name: Show firewall status
+  ansible.builtin.debug:
+    var: ufw_status.stdout_lines

roles/secure_firewall/tasks/vpn_only.yml

@@ -0,0 +1,83 @@
+---
+# VPN-Only Access Configuration Tasks
+
+- name: Validate management_allowed_sources is defined
+  ansible.builtin.assert:
+    that:
+      - management_allowed_sources is defined
+      - management_allowed_sources | length > 0
+    fail_msg: "management_allowed_sources must be defined and non-empty when vpn_only_mode is true"
+    success_msg: "Management access sources configured: {{ management_allowed_sources | join(', ') }}"
+
+- name: Restrict management ports to allowed sources only
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.0.port }}"
+    proto: "{{ item.0.proto }}"
+    from_ip: "{{ item.1 }}"
+    comment: "{{ item.0.comment }} (from {{ item.1 }})"
+  loop: "{{ management_ports | product(management_allowed_sources) | list }}"
+  loop_control:
+    label: "{{ item.0.comment }} port {{ item.0.port }} from {{ item.1 }}"
+
+- name: Apply SSH rate limiting for each allowed source
+  community.general.ufw:
+    rule: limit
+    port: "22"
+    proto: tcp
+    from_ip: "{{ item }}"
+  loop: "{{ management_allowed_sources }}"
+  when: ssh_rate_limit | bool
+
+- name: Deny management ports from all other sources
+  community.general.ufw:
+    rule: deny
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+    comment: "Block {{ item.comment }} from public"
+  loop: "{{ management_ports }}"
+
+- name: Create VPN-only access summary
+  ansible.builtin.copy:
+    dest: /root/firewall-config.txt
+    content: |
+      # Firewall Configuration Summary
+      
+      ## VPN-Only Mode: ENABLED
+      
+      ## Management Access Allowed From:
+      {% for source in management_allowed_sources %}
+      - {{ source }}
+      {% endfor %}
+      
+      ## Management Ports (Restricted Access):
+      {% for port in management_ports %}
+      - {{ port.port }}/{{ port.proto }} - {{ port.comment }}
+      {% endfor %}
+      
+      ## Public Ports (Unrestricted):
+      {% for port in public_ports %}
+      - {{ port.port }}/{{ port.proto }} - {{ port.comment }}
+      {% endfor %}
+      
+      ## Security Notes:
+      - Management access ONLY from: {{ management_allowed_sources | join(', ') }}
+      - SSH is rate-limited to prevent brute force
+      - Default policy: DENY all incoming (except allowed above)
+      - Logging level: {{ firewall_logging }}
+      
+      ## To view firewall rules:
+      sudo ufw status verbose
+      
+      ## To modify rules:
+      Edit inventory variables and re-run playbook
+    mode: '0600'
+
+- name: Display VPN-only configuration
+  ansible.builtin.debug:
+    msg:
+      - "VPN-Only Mode: ENABLED"
+      - "Management access allowed from: {{ management_allowed_sources | join(', ') }}"
+      - "Management ports are ONLY accessible from allowed sources"
+      - "Public ports remain accessible from internet"
+      - "Configuration saved to /root/firewall-config.txt"