dumontix/forgejo-autohebergement
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
forgejo-autohebergement/ansible/roles/forgejo/tasks/ufw.yml
Horacio Duran 822e42dbb8 Add Template to deploy forgejo. 
This template allows deploying a forgejo en either Scaleway or Hetzner
(untested) without much knowledge about them.
It DOES require knowledge about Terragrunt and ansible. A wizard of
sorts is provided but it will not guarantee success without some
knowledge about the underlying technology.
2026-01-09 16:07:44 +01:00

142 lines
3.3 KiB
YAML
Raw Blame History

---
# UFW Firewall configuration for Forgejo
# Restricts SSH access to Tailscale interface only
# Only exposes HTTP/HTTPS to the public internet
- name: Install UFW
ansible.builtin.apt:
name: ufw
state: present
update_cache: yes
become: yes
tags:
- install
- ufw
- name: Deploy Forgejo UFW application profile
ansible.builtin.template:
src: ufw-forgejo.j2
dest: /etc/ufw/applications.d/forgejo
owner: root
group: root
mode: '0644'
become: yes
tags:
- configure
- ufw
- name: Reset UFW to default (clean slate)
community.general.ufw:
state: reset
become: yes
tags:
- configure
- ufw
- name: Set default incoming policy to deny
community.general.ufw:
direction: incoming
policy: deny
become: yes
tags:
- configure
- ufw
- name: Set default outgoing policy to allow
community.general.ufw:
direction: outgoing
policy: allow
become: yes
tags:
- configure
- ufw
- name: Allow all traffic on Tailscale interface
community.general.ufw:
rule: allow
interface: "{{ tailscale_interface }}"
direction: in
comment: "Allow all Tailscale traffic (SSH, monitoring, internal services)"
become: yes
tags:
- configure
- ufw
- name: Allow Docker network to access host services
community.general.ufw:
rule: allow
from_ip: 172.16.0.0/12
comment: "Allow Docker containers to access host services (PostgreSQL, etc.)"
become: yes
tags:
- configure
- ufw
# Public-facing ports (Caddy handles HTTPS)
- name: Allow HTTP (Caddy)
community.general.ufw:
rule: allow
port: "80"
proto: tcp
comment: "HTTP - Caddy (redirects to HTTPS)"
become: yes
tags:
- configure
- ufw
- name: Allow HTTPS (Caddy)
community.general.ufw:
rule: allow
port: "443"
proto: tcp
comment: "HTTPS - Caddy/Forgejo"
become: yes
tags:
- configure
- ufw
# Git SSH is only accessible via Tailscale (through the interface rule above)
# Regular SSH is only accessible via Tailscale (through the interface rule above)
- name: Enable UFW logging
community.general.ufw:
logging: "on"
become: yes
tags:
- configure
- ufw
- name: Enable UFW
community.general.ufw:
state: enabled
become: yes
tags:
- configure
- ufw
- name: Display UFW security configuration
ansible.builtin.debug:
msg: |
===============================================================
FIREWALL CONFIGURED - SECURITY SUMMARY
===============================================================
PUBLIC ACCESS (from anywhere):
- Port 80/tcp (HTTP - redirects to HTTPS)
- Port 443/tcp (HTTPS - Forgejo web interface)
TAILSCALE-ONLY ACCESS (via {{ tailscale_interface }}):
- Port 22/tcp (SSH - system administration)
- Port 2222/tcp (Git SSH - clone/push/pull)
- Port 3000/tcp (Forgejo internal - for debugging)
- Port 9090/tcp (Prometheus - if enabled)
- All other internal services
Git clone URLs:
- HTTPS (public): https://{{ forgejo_domain }}/user/repo.git
- SSH (Tailscale): git@<tailscale-hostname>:user/repo.git
To access SSH after this change:
ssh root@<tailscale-ip-or-hostname>
===============================================================
View git blame Copy permalink