refactor(infrastructure): update traefik, firewall, docker, watchtower configurations

2026-03-06 14:31:02 -05:00 · 2026-03-06 14:31:02 -05:00 · 0cc53c9976
commit 0cc53c9976
parent 8c834ee7d7
5 changed files with 54 additions and 16 deletions
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -85,18 +85,6 @@
    mode: "0755"
  when: ansible_facts['os_family'] == "Debian" and (docker_ce_install is defined and docker_ce_install is failed)

- name: Check if Docker Desktop is running on macOS
-  command: >
-    osascript -e 'tell application "Docker" to get the running'
-  register: docker_desktop_running
-  ignore_errors: true
-  when: ansible_facts['os_family'] == "Darwin"
-
- name: Notify if Docker Desktop is not running
-  debug:
-    msg: "Docker Desktop is not running. Please start Docker Desktop."
-  when: ansible_facts['os_family'] == "Darwin" and docker_desktop_running is defined and docker_desktop_running.rc != 0
-
 - name: Start and enable Docker service on Linux
  service:
    name: docker
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -1,4 +1,46 @@
 ---
+- name: Ensure UFW is installed
+  apt:
+    name: ufw
+    state: present
+
+- name: Configure UFW defaults
+  command: "ufw {{ item }}"
+  loop:
+    - default deny incoming
+    - default allow outgoing
+  changed_when: false
+
+- name: Allow SSH through UFW
+  command: "ufw allow {{ ansible_port | default(22) }}/tcp"
+  changed_when: false
+
+- name: Rate limit SSH attempts
+  command: "ufw limit {{ ansible_port | default(22) }}/tcp"
+  changed_when: false
+
+- name: Allow HTTP through UFW
+  command: ufw allow 80/tcp
+  changed_when: false
+
+- name: Allow HTTPS through UFW
+  command: ufw allow 443/tcp
+  changed_when: false
+
+- name: Allow Cloudflare IPs through UFW
+  command: "ufw allow from {{ item }}"
+  loop: "{{ cloudflare_ips }}"
+  changed_when: false
+
+- name: Enable UFW
+  command: ufw --force enable
+  changed_when: false
+
+- name: Set UFW logging to low
+  command: ufw logging low
+  register: ufw_logging
+  changed_when: "'Logging enabled' in ufw_logging.stdout"
+
 - name: Ensure iptables persistence packages are installed
  apt:
    name:
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -91,6 +91,7 @@
            middlewares:
              - security-headers
              - compress
+              - authelia

          prometheus:
            rule: "Host(`{{ prometheus_hostname }}`)"
--- a/roles/traefik/templates/home-docker-compose.yml.j2
+++ b/roles/traefik/templates/home-docker-compose.yml.j2
@ -5,8 +5,6 @@ services:
      - --api.dashboard=true
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
@ -23,12 +21,16 @@ services:
    environment:
      - CF_DNS_API_TOKEN={{ traefik_cloudflare_dns_api_token }}
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
      - {{ traefik_dir }}/letsencrypt:/letsencrypt
      - {{ traefik_dir }}/dynamic:/etc/traefik/dynamic
    networks:
      - proxy
    restart: always
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m

 networks:
  proxy:
--- a/roles/watchtower/templates/docker-compose.yml.j2
+++ b/roles/watchtower/templates/docker-compose.yml.j2
@ -1,9 +1,14 @@
 services:
  watchtower:
-    image: containrrr/watchtower:1.7
+    image: containrrr/watchtower:1.7.1
    command: --label-enable --cleanup --interval 3600
    environment:
      DOCKER_API_VERSION: "1.44"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=10m