From 0cc53c99769033df2ca29ec4621144b03ac83bd1 Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:31:02 -0500
Subject: [PATCH] refactor(infrastructure): update traefik, firewall, docker,
 watchtower configurations

---
 roles/docker/tasks/main.yml                   | 12 ------
 roles/firewall/tasks/main.yml                 | 42 +++++++++++++++++++
 roles/traefik/tasks/main.yml                  |  1 +
 .../templates/home-docker-compose.yml.j2      |  8 ++--
 .../templates/docker-compose.yml.j2           |  7 +++-
 5 files changed, 54 insertions(+), 16 deletions(-)

diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 863141f..6929c54 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -85,18 +85,6 @@
     mode: "0755"
   when: ansible_facts['os_family'] == "Debian" and (docker_ce_install is defined and docker_ce_install is failed)
 
-- name: Check if Docker Desktop is running on macOS
-  command: >
-    osascript -e 'tell application "Docker" to get the running'
-  register: docker_desktop_running
-  ignore_errors: true
-  when: ansible_facts['os_family'] == "Darwin"
-
-- name: Notify if Docker Desktop is not running
-  debug:
-    msg: "Docker Desktop is not running. Please start Docker Desktop."
-  when: ansible_facts['os_family'] == "Darwin" and docker_desktop_running is defined and docker_desktop_running.rc != 0
-
 - name: Start and enable Docker service on Linux
   service:
     name: docker
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 4cf17b6..7625d17 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -1,4 +1,46 @@
 ---
+- name: Ensure UFW is installed
+  apt:
+    name: ufw
+    state: present
+
+- name: Configure UFW defaults
+  command: "ufw {{ item }}"
+  loop:
+    - default deny incoming
+    - default allow outgoing
+  changed_when: false
+
+- name: Allow SSH through UFW
+  command: "ufw allow {{ ansible_port | default(22) }}/tcp"
+  changed_when: false
+
+- name: Rate limit SSH attempts
+  command: "ufw limit {{ ansible_port | default(22) }}/tcp"
+  changed_when: false
+
+- name: Allow HTTP through UFW
+  command: ufw allow 80/tcp
+  changed_when: false
+
+- name: Allow HTTPS through UFW
+  command: ufw allow 443/tcp
+  changed_when: false
+
+- name: Allow Cloudflare IPs through UFW
+  command: "ufw allow from {{ item }}"
+  loop: "{{ cloudflare_ips }}"
+  changed_when: false
+
+- name: Enable UFW
+  command: ufw --force enable
+  changed_when: false
+
+- name: Set UFW logging to low
+  command: ufw logging low
+  register: ufw_logging
+  changed_when: "'Logging enabled' in ufw_logging.stdout"
+
 - name: Ensure iptables persistence packages are installed
   apt:
     name:
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 9279311..ebfaa50 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -91,6 +91,7 @@
             middlewares:
               - security-headers
               - compress
+              - authelia
 
           prometheus:
             rule: "Host(`{{ prometheus_hostname }}`)"
diff --git a/roles/traefik/templates/home-docker-compose.yml.j2 b/roles/traefik/templates/home-docker-compose.yml.j2
index f97c71e..2e21192 100644
--- a/roles/traefik/templates/home-docker-compose.yml.j2
+++ b/roles/traefik/templates/home-docker-compose.yml.j2
@@ -5,8 +5,6 @@ services:
       - --api.dashboard=true
       - --providers.file.directory=/etc/traefik/dynamic
       - --providers.file.watch=true
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
       - --entrypoints.web.address=:80
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
@@ -23,12 +21,16 @@ services:
     environment:
       - CF_DNS_API_TOKEN={{ traefik_cloudflare_dns_api_token }}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - {{ traefik_dir }}/letsencrypt:/letsencrypt
       - {{ traefik_dir }}/dynamic:/etc/traefik/dynamic
     networks:
       - proxy
     restart: always
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m
 
 networks:
   proxy:
diff --git a/roles/watchtower/templates/docker-compose.yml.j2 b/roles/watchtower/templates/docker-compose.yml.j2
index a2e94c8..ae134a4 100644
--- a/roles/watchtower/templates/docker-compose.yml.j2
+++ b/roles/watchtower/templates/docker-compose.yml.j2
@@ -1,9 +1,14 @@
 services:
   watchtower:
-    image: containrrr/watchtower:1.7
+    image: containrrr/watchtower:1.7.1
     command: --label-enable --cleanup --interval 3600
     environment:
       DOCKER_API_VERSION: "1.44"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=10m