Add firewalling rules

[jstoja]

I quickly looked at the playbook and I didn't see any firewalling rules in it. It's a thing to have them here so it won't be forgotten in a future deployment.

[pushcx]

What would you recommend? It's single box serving ssh and nginx, there's no other servers connecting privately to it or anything. I guess to prevent errors like accidentally exposing mariadb to all interfaces, that sort of thing?

[jstoja]

Exactly. It's not mandatory, but it sometimes cover mistakes. I'd understand if you'd find this to be too much for the size of the deployment! The simplest way would be to add ufw tasks in each role.

[jstoja]

Now that I have a clearer vision about how this project could improve, firewalling rules could be a very interesting thing to have to larger deployments.

Right now there is just 1 host for DB/LB/worker so there is no added value, but if we correctly implement the project to handle a multi-host deployment, the firewalling rules could:

• Allow SSH only to the LB node (forwarding the rest to the other nodes)
• Allow HTTP/S from outside only to LB, only HTTP from LB to workers
• Allow SQL traffic only from worker nodes
• ... What do you think about it?

[pushcx]

Sounds good, if it can be simply expressed in the current roles. It's going to be some time before we outgrow a single box, so I don't want to take on something oriented around a multi-host setup. Off the top of my head, three rules permitting incoming traffic to tcp 22, 80, and 443 might be all the config we need for quite some time.

[pushcx]

This feels like too much of a footgun with how unreliable ansible is. I think it'd be a matter of weeks before a run was interrupted in such a way that the firewall was enabled with all ports closed.

I've been using unix domain sockets with puma and redis to avoid the risk things start listening to all interfaces.