doc: add ufw description

2025-11-10 18:25:55 +01:00 · 2025-11-10 18:25:55 +01:00 · cab15e590e
commit cab15e590e
parent 83b6a38999
4 changed files with 9 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -28,8 +28,12 @@ ansible-galaxy collection install -r requirements.yml

 ## Usage

+If you have a password on your ssh key `--ask-pass` is recommended, `--ask-become-pass` is always asked in these roles, as most tasks require elevated privileges. These are dropped time to time when the default user privilege is enough.
+
 ```sh
-ansible-playbook -i inventory/hosts.yml playbook.yml --ask-become-pass
+ansible-playbook -i inventory/hosts.yml playbook.yml \
+--ask-pass \
+--ask-become-pass
 ```

 ## Target devices configuration
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@ -35,4 +35,5 @@
    port: "{{ nfs_port }}"
    proto: any
    direction: in
+    comment: "Network File System (NFS)"
  with_items: "{{ nfs_server_firewall_allowed_sources | default([]) }}"
--- a/roles/ntpd/tasks/main.yml
+++ b/roles/ntpd/tasks/main.yml
@ -45,4 +45,5 @@
    proto: udp
    src: "{{ item }}"
    direction: in
+    comment: "NTP traffic"
  loop: "{{ ntp_firewall_allowed_sources | default([]) }}"
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -26,6 +26,7 @@
    proto: tcp
    from: "{{ ssh_allowed_network }}"
    direction: in
+    comment: "SSH from local network"

 - name: Allow SSH VPN incoming connection
  ufw:
@ -34,6 +35,7 @@
    proto: tcp
    from: "{{ ssh_allowed_vpn_network }}"
    direction: in
+    comment: "SSH from VPN network"

 - name: Add SSH public key to authorized_keys
  authorized_key: