---
# UFW Firewall configuration for Forgejo
# Restricts SSH access to Tailscale interface only
# Only exposes HTTP/HTTPS to the public internet

- name: Install UFW
  ansible.builtin.apt:
    name: ufw
    state: present
    update_cache: yes
  become: yes
  tags:
    - install
    - ufw

- name: Deploy Forgejo UFW application profile
  ansible.builtin.template:
    src: ufw-forgejo.j2
    dest: /etc/ufw/applications.d/forgejo
    owner: root
    group: root
    mode: '0644'
  become: yes
  tags:
    - configure
    - ufw

- name: Reset UFW to default (clean slate)
  community.general.ufw:
    state: reset
  become: yes
  tags:
    - configure
    - ufw

- name: Set default incoming policy to deny
  community.general.ufw:
    direction: incoming
    policy: deny
  become: yes
  tags:
    - configure
    - ufw

- name: Set default outgoing policy to allow
  community.general.ufw:
    direction: outgoing
    policy: allow
  become: yes
  tags:
    - configure
    - ufw

- name: Allow all traffic on Tailscale interface
  community.general.ufw:
    rule: allow
    interface: "{{ tailscale_interface }}"
    direction: in
    comment: "Allow all Tailscale traffic (SSH, monitoring, internal services)"
  become: yes
  tags:
    - configure
    - ufw

- name: Allow Docker network to access host services
  community.general.ufw:
    rule: allow
    from_ip: 172.16.0.0/12
    comment: "Allow Docker containers to access host services (PostgreSQL, etc.)"
  become: yes
  tags:
    - configure
    - ufw

# Public-facing ports (Caddy handles HTTPS)
- name: Allow HTTP (Caddy)
  community.general.ufw:
    rule: allow
    port: "80"
    proto: tcp
    comment: "HTTP - Caddy (redirects to HTTPS)"
  become: yes
  tags:
    - configure
    - ufw

- name: Allow HTTPS (Caddy)
  community.general.ufw:
    rule: allow
    port: "443"
    proto: tcp
    comment: "HTTPS - Caddy/Forgejo"
  become: yes
  tags:
    - configure
    - ufw

# Git SSH is only accessible via Tailscale (through the interface rule above)
# Regular SSH is only accessible via Tailscale (through the interface rule above)

- name: Enable UFW logging
  community.general.ufw:
    logging: "on"
  become: yes
  tags:
    - configure
    - ufw

- name: Enable UFW
  community.general.ufw:
    state: enabled
  become: yes
  tags:
    - configure
    - ufw

- name: Display UFW security configuration
  ansible.builtin.debug:
    msg: |
      ===============================================================
      FIREWALL CONFIGURED - SECURITY SUMMARY
      ===============================================================

      PUBLIC ACCESS (from anywhere):
        - Port 80/tcp  (HTTP - redirects to HTTPS)
        - Port 443/tcp (HTTPS - Forgejo web interface)

      TAILSCALE-ONLY ACCESS (via {{ tailscale_interface }}):
        - Port 22/tcp   (SSH - system administration)
        - Port 2222/tcp (Git SSH - clone/push/pull)
        - Port 3000/tcp (Forgejo internal - for debugging)
        - Port 9090/tcp (Prometheus - if enabled)
        - All other internal services

      Git clone URLs:
        - HTTPS (public): https://{{ forgejo_domain }}/user/repo.git
        - SSH (Tailscale): git@<tailscale-hostname>:user/repo.git

      To access SSH after this change:
        ssh root@<tailscale-ip-or-hostname>

      ===============================================================