Make ufw incoming ssh connection ip-ranges configurable;

configure_ufw.yml

@@ -3,43 +3,32 @@
   become: true
   hosts: all
   tasks:
-    # setup ufw ssh rules
-    - name: allow ssh access from uni-hamburg ip range
+    # setup ufw ssh exception/limiting rules
+    - name: allow ssh access from specified ip ranges
       ufw:
         rule: allow
         app: OpenSSH
-        from_ip: 134.100.0.0/16
-
-    - name: allow ssh access from internal ip range a)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 192.168.0.0/16
-
-    - name: allow ssh access from internal ip range b)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 172.16.0.0/12
+        from_ip: "{{ item }}"
+      with_items: "{{ ufw_ssh_allowed_from }}"
 
     - name: rate limiting ssh access
       ufw:
         rule: limit
         app: OpenSSH
 
-    # setup nginx web server rule
+    # setup nginx web server exception rule
     - name: allow access of nginx webserver from everywhere
       ufw:
         rule: allow
         name: Nginx Full
 
-    # set default rules
+    # set default deny rules
     - name: deny any other incoming traffic by default
       ufw:
         state: enabled
         default: deny
         direction: incoming
-
+    # set default allow rule for outgoing, FIXME: do it more granulary (only http/https)
     - name: allow any outgoing traffic by default
       ufw:
         state: enabled

group_vars/otree_servers.yml.example

@@ -53,3 +53,6 @@ otree_users:
 ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt"
 ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key"
 
+ufw_ssh_allowed_from:
+  - "192.168.0.0/16"
+  - "172.16.0.0/12"