From 8f28f87bee165bae1d00f66b2b83300813a37aed Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Thu, 4 Nov 2021 18:57:00 -0700
Subject: [PATCH] Close most ports on the deploy box by default

I noticed that incoming port 3000 connections were being allowed, oops! Not a huge deal, but I don't want to allow connections without HTTPS, and I don't want surprise surface area even if I'm not currently aware of attacks on it. Close it out!
---
 deploy/playbooks/setup.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/deploy/playbooks/setup.yml b/deploy/playbooks/setup.yml
index 489dd8a..68e922e 100644
--- a/deploy/playbooks/setup.yml
+++ b/deploy/playbooks/setup.yml
@@ -24,6 +24,30 @@
         update_cache: yes
         name: fail2ban
 
+    - name: Configure ufw firewall to allow SSH connections on port 22
+      become: yes
+      community.general.ufw:
+        rule: allow
+        port: "22"
+
+    - name: Configure ufw firewall to allow HTTP connections on port 80
+      become: yes
+      community.general.ufw:
+        rule: allow
+        port: "80"
+
+    - name: Configure ufw firewall to allow HTTP connections on port 443
+      become: yes
+      community.general.ufw:
+        rule: allow
+        port: "443"
+
+    - name: Enable ufw firewall with all other ports closed by default
+      become: yes
+      community.general.ufw:
+        state: enabled
+        policy: deny
+
     - name: Create the app versions folder
       become: yes
       file: