Deleting all ufw rules on every run so firewalls remain clean. Also reloading gunicorn.

Makefile

@@ -77,5 +77,5 @@ deploy:
 	- docker stack deploy --with-registry-auth -c stack-compose.yml dev-stack
 
 firewall:
-	- ansible-playbook ansible/provision.yml --tags firewallx -l db
+	- ansible-playbook ansible/provision.yml --tags firewall -l db
 

ansible/inventories/digital_ocean.yml

@@ -6,7 +6,7 @@ groups:
   app: inventory_hostname.startswith('app')
   # work: inventory_hostname.startswith('work') and inventory_hostname != "work"
   node: inventory_hostname.startswith('node')
-  # debug: inventory_hostname.startswith('debug')
+  # debugs: inventory_hostname.startswith('debug')
   db: inventory_hostname.startswith('db')
   task: inventory_hostname.startswith('task')
   search: inventory_hostname.startswith('db-elasticsearch')

ansible/provision.yml

@@ -15,5 +15,7 @@
   when: "'elasticsearch' in group_names"
 - import_playbook: setup_task.yml
   when: "'task' in group_names"
+- import_playbook: setup_debug.yml
+  when: "'debugs' in group_names"
 - import_playbook: setup_consul_manager.yml
   when: "'consul' in group_names"

ansible/roles/base/tasks/ufw.yml

@@ -1,6 +1,10 @@
 ---
+- name: Stop ufw and delete all rules
+  ufw: state=reset
+  tags: ufw
+
 - name: Set firewall default policy
-  ufw: state=enabled policy=reject
+  ufw: state=disabled policy=reject
   tags: ufw
 #
 # - name: Set ufw policy to deny all incoming connections
@@ -24,24 +28,21 @@
   tags: ufw
 
 - name: Allow all access from RFC1918 networks to this host
-  become: yes
   ufw:
     rule: allow
     src: '{{ item }}'
   with_items:
     - 10.0.0.0/8
   
-- debug:
-    msg: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: firewallx
-  
 - name: Allow all access from inventory hosts
-  become: yes
   ufw:
     rule: allow
     src: '{{ item }}'
   with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: firewall
+  when: "'oldandnew' in groups"
+  tags: 
+    - firewall
+    - ufw
 
 - name: Start ufw
   ufw: state=enabled

ansible/roles/consul/tasks/main.yml

@@ -1,13 +1,4 @@
 ---
-# TODO: Close firewall and remove below line. Firewall should exclude all but known IPs.
-- name: Allow consul-manager ports
-  ufw: rule=allow port={{ item }}
-  become: yes
-  tags: ufw
-  with_items:
-    - "8300"
-    - "8301"
-
 - name: Add the HashiCorp GPG key
   become: yes
   apt_key:

ansible/roles/haproxy/handlers/main.yml

@@ -10,5 +10,5 @@
 
 - name: reload haproxy configuration
   become: yes
-  command: sudo docker kill --signal HUP haproxy
+  command: docker kill --signal HUP haproxy
   listen: reload haproxy

ansible/roles/mongo/tasks/main.yml

@@ -16,5 +16,6 @@
   template:
     src: consul_service.json
     dest: /etc/consul.d/mongo.json
+  tags: consul
   notify:
     - reload consul

ansible/roles/postgres/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - name: Start postgres container
+  become: yes
   docker_container:
     name: postgres
     image: postgres:13.1

ansible/roles/web/handlers/main.yml

@@ -8,3 +8,7 @@
     state: reloaded
   listen: reload consul
 
+- name: reload gunicorn
+  become: yes
+  command: docker kill --signal HUP newsblur_web
+  listen: reload gunicorn

ansible/roles/web/tasks/main.yml

@@ -10,6 +10,7 @@
   copy:
     src: /srv/secrets-newsblur/settings/docker_settings.py
     dest: /srv/newsblur/newsblur_web/local_settings.py
+  register: app_changed
 
 - name: Start NewsBlur Web Docker container
   become: yes
@@ -34,3 +35,10 @@
     dest: /etc/consul.d/newsblur_web.json
   notify:
     - reload consul
+
+- name: Reload gunicorn
+  debug: 
+    msg: Reloading gunicorn
+  notify: reload gunicorn
+  when: app_changed.changed
+  changed_when: app_changed.changed