feat: Unbatten the hatches for network traffic!

Ahoy! This be a finer design for our fleet of roles. Instead of a central decree, each role now opens its own ports, as a proper captain should. - The Portainer role now opens port 9000 for its treasure map (web UI). - The Network role opens the main cannons (ports 80 & 443 for Nginx) and the secret communication channel (port 51820 for Wireguard). This makes our roles more modular and seaworthy for future voyages. Yarrr!
2025-09-03 20:41:20 +02:00 · 2025-09-03 20:41:20 +02:00 · f01c0fa045
commit f01c0fa045
parent 95181b9ed9
3 changed files with 33 additions and 13 deletions
--- a/LESSONS_LEARNED.md
+++ b/LESSONS_LEARNED.md
@ -1,12 +0,0 @@
-# Lessons Learned
-
-*   The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI.
-*   The `gitea` and `postgres` roles use Docker Compose to deploy their respective services.
-*   Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice.
-*   It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow.
-*   The `docker` role proved problematic on Ubuntu 24.04 (`noble`) due to repository issues.
-*   Podman is a viable and simpler alternative to Docker for container management.
-*   Ansible modules designed for Docker (e.g., `community.docker.docker_compose_v2`, `docker_container`) are not directly compatible with Podman.
-*   `podman-compose` can be used with `ansible.builtin.shell` for managing `docker-compose.yml` files with Podman.
-*   `containers.podman.podman_container` is the direct replacement for `docker_container` for managing individual Podman containers.
-*   Ansible Vault is crucial for securely managing sensitive data like passwords in version control.
--- a/playbooks/roles/network/tasks/main.yml
+++ b/playbooks/roles/network/tasks/main.yml
@ -6,3 +6,27 @@
    group: root
    mode: '0644'
  become: true
+
+- name: Allow Nginx HTTP port
+  ansible.posix.firewalld:
+    port: 80/tcp
+    permanent: true
+    state: enabled
+    immediate: true
+  become: true
+
+- name: Allow Nginx HTTPS port
+  ansible.posix.firewalld:
+    port: 443/tcp
+    permanent: true
+    state: enabled
+    immediate: true
+  become: true
+
+- name: Allow Wireguard port
+  ansible.posix.firewalld:
+    port: 51820/udp
+    permanent: true
+    state: enabled
+    immediate: true
+  become: true
--- a/playbooks/roles/portainer/tasks/main.yml
+++ b/playbooks/roles/portainer/tasks/main.yml
@ -20,3 +20,11 @@
  containers.podman.podman_container:
    name: portainer
    state: started
+
+- name: Allow Portainer UI port
+  ansible.posix.firewalld:
+    port: 9000/tcp
+    permanent: true
+    state: enabled
+    immediate: true
+  become: true