resist-vpn-infra/roles/secure_firewall/tasks/ufw.yml

---
# UFW Firewall Configuration Tasks

- name: Ensure UFW is installed
  ansible.builtin.apt:
    name: ufw
    state: present

- name: Reset UFW to default state
  community.general.ufw:
    state: reset
  when: firewall_reset | default(false) | bool

- name: Set UFW default policies
  community.general.ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  loop:
    - { direction: 'incoming', policy: "{{ firewall_default_input_policy }}" }
    - { direction: 'outgoing', policy: "{{ firewall_default_output_policy }}" }
    - { direction: 'routed', policy: "{{ firewall_default_forward_policy }}" }

- name: Allow public ports (unrestricted)
  community.general.ufw:
    rule: allow
    port: "{{ item.port }}"
    proto: "{{ item.proto }}"
    comment: "{{ item.comment }}"
  loop: "{{ public_ports }}"

- name: Configure UFW logging
  community.general.ufw:
    logging: "{{ firewall_logging }}"

- name: Enable UFW
  community.general.ufw:
    state: enabled

- name: Display firewall status
  ansible.builtin.command: ufw status verbose
  register: ufw_status
  changed_when: false

- name: Show firewall status
  ansible.builtin.debug:
    var: ufw_status.stdout_lines