From 5b8fb506816f6bafcda7db5c2e6beae53893eb92 Mon Sep 17 00:00:00 2001
From: Samuel Clay <samuel@ofbrooklyn.com>
Date: Sun, 18 Feb 2024 14:51:48 -0500
Subject: [PATCH] Speeding up ufw by batching up the commands.

---
 ansible/roles/ufw/tasks/main.yml            | 160 +++++++++++---------
 ansible/roles/ufw/templates/ufw_rules.sh.j2 |  24 +++
 2 files changed, 112 insertions(+), 72 deletions(-)
 create mode 100644 ansible/roles/ufw/templates/ufw_rules.sh.j2

diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index 03fb48808..31786b1d9 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -1,4 +1,16 @@
 ---
+
+- name: Set hosts
+  set_fact:
+    hetzner_hosts: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
+    do_hosts: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
+    
+- name: Generate UFW batch script
+  template:
+    src: ufw_rules.sh.j2
+    dest: /tmp/ufw_rules.sh
+    mode: '0755'
+    
 - name: Stop ufw and delete all rules
   become: yes
   ufw: state=reset
@@ -16,83 +28,87 @@
 # - name: Set ufw policy to allow all ougoing connections
 #   ufw: policy=allow direction=outgoing
 #   tags: ufw
+
+- name: Execute UFW batch script
+  become: yes
+  command: /tmp/ufw_rules.sh
+
+# - name: Allow ssh
+#   become: yes
+#   ufw: rule=allow port=22
+#   tags: ufw
+
+# - name: Allow all access from RFC1918 networks to this host
+#   become: yes
+#   ufw:
+#     rule: allow
+#     src: '{{ item }}'
+#   with_items:
+#     - 10.0.0.0/8
+#     - 172.18.0.0/16
+#     - 172.17.0.0/16
+#   tags:
+#     - firewall
+#     - ufw
   
-- name: Allow ssh
-  become: yes
-  ufw: rule=allow port=22
-  tags: ufw
+# - name: Allow all access from Hetzner inventory hosts
+#   become: yes
+#   ufw:
+#     rule: allow
+#     src: '{{ item }}'
+#   with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
+#   tags: 
+#     - firewall
+#     - ufw
+#     - hetzner_firewall
+#     - hfirewall
 
-- name: Allow all access from RFC1918 networks to this host
-  become: yes
-  ufw:
-    rule: allow
-    src: '{{ item }}'
-  with_items:
-    - 10.0.0.0/8
-    - 172.18.0.0/16
-    - 172.17.0.0/16
-  tags:
-    - firewall
-    - ufw
-  
-- name: Allow all access from Hetzner inventory hosts
-  become: yes
-  ufw:
-    rule: allow
-    src: '{{ item }}'
-  with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: 
-    - firewall
-    - ufw
-    - hetzner_firewall
-    - hfirewall
+# - name: Allow all access from Hetzner inventory hosts with docker
+#   become: yes
+#   ufw:
+#     rule: allow
+#     route: yes
+#     src: '{{ item }}'
+#   with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
+#   tags: 
+#     - firewall
+#     - ufw
+#     - hetzner_firewall
+#     - hfirewall
 
-- name: Allow all access from Hetzner inventory hosts with docker
-  become: yes
-  ufw:
-    rule: allow
-    route: yes
-    src: '{{ item }}'
-  with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: 
-    - firewall
-    - ufw
-    - hetzner_firewall
-    - hfirewall
+# - name: Allow all access from inventory hosts old + new
+#   become: yes
+#   ufw:
+#     rule: allow
+#     src: '{{ item }}'
+#   with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
+#   when: "'oldandnew' in groups"
+#   tags: 
+#     - firewall
+#     - ufw
 
-- name: Allow all access from inventory hosts old + new
-  become: yes
-  ufw:
-    rule: allow
-    src: '{{ item }}'
-  with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
-  when: "'oldandnew' in groups"
-  tags: 
-    - firewall
-    - ufw
+# - name: Allow all access from inventory hosts
+#   become: yes
+#   ufw:
+#     rule: allow
+#     src: '{{ item }}'
+#   with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
+#   when: "'oldandnew' not in groups"
+#   tags: 
+#     - firewall
+#     - ufw
 
-- name: Allow all access from inventory hosts
-  become: yes
-  ufw:
-    rule: allow
-    src: '{{ item }}'
-  with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
-  when: "'oldandnew' not in groups"
-  tags: 
-    - firewall
-    - ufw
-
-- name: Allow all access from inventory hosts with docker
-  become: yes
-  ufw:
-    rule: allow
-    route: yes
-    src: '{{ item }}'
-  with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
-  when: "'oldandnew' not in groups"
-  tags: 
-    - firewall
-    - ufw
+# - name: Allow all access from inventory hosts with docker
+#   become: yes
+#   ufw:
+#     rule: allow
+#     route: yes
+#     src: '{{ item }}'
+#   with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
+#   when: "'oldandnew' not in groups"
+#   tags: 
+#     - firewall
+#     - ufw
 
 # Code from https://stackoverflow.com/a/51741599/8717: "What is the best practice of docker + ufw under Ubuntu"
 - name: Solving UFW and Docker issues by adding ufw after.rules
diff --git a/ansible/roles/ufw/templates/ufw_rules.sh.j2 b/ansible/roles/ufw/templates/ufw_rules.sh.j2
new file mode 100644
index 000000000..8c3a2c0e8
--- /dev/null
+++ b/ansible/roles/ufw/templates/ufw_rules.sh.j2
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Apply UFW rules in batch
+ufw --force reset
+ufw default deny incoming
+ufw default allow outgoing
+
+# Allow SSH
+ufw allow 22
+
+ufw allow from 10.0.0.0/8
+ufw allow from 172.18.0.0/16
+ufw allow from 172.17.0.0/16
+
+{% for host in hetzner_hosts %}
+ufw allow from {{ host }}
+ufw route allow from {{ host }}
+{% endfor %}
+
+{% for host in do_hosts %}
+ufw allow from {{ host }}
+ufw route allow from {{ host }}
+{% endfor %}
+
+ufw --force enable