feat: update firewall rules and remove VPN

Author: Nitestack

README.md

@@ -13,7 +13,7 @@
 ![GitHub Repo Stars](https://img.shields.io/github/stars/Nitestack/raspberry-pi-5?style=for-the-badge)
 ![Github Created At](https://img.shields.io/github/created-at/Nitestack/raspberry-pi-5?style=for-the-badge)
 
-[Features](#-features) • [Requirements](#️-requirements) • [Getting Started](#-getting-started) • [Configuration](#-configuration) • [Port Forwarding](#-port-forwarding) • [Security](#%EF%B8%8F-security) • [Backups](#-backups) • [License](#-license)
+[Features](#-features) • [Requirements](#️-requirements) • [Getting Started](#-getting-started) • [Configuration](#-configuration) • [Security](#%EF%B8%8F-security) • [Backups](#-backups) • [License](#-license)
 
 _This [Ansible](https://ansible.com) configuration automates the setup of a Home Server running [Raspberry Pi OS](https://raspberrypi.com/software). It deploys essential services using a modern, secure, and declarative best-practice architecture._
 
@@ -47,7 +47,6 @@ _This [Ansible](https://ansible.com) configuration automates the setup of a Home
 - **Pocket ID**: OIDC Provider
 - **Vaultwarden**: Password Manager
 - **wger Workout Manager**: Fitness Tracker
-- **WireGuard Easy**: VPN (with Web GUI)
 - **Yamtrack**: Media Tracker (TV Shows, TV Seasons, Movies, Anime, Manga, Games, Books, Comics)
 - **Zerobyte**: Backup Manager (Web GUI for `restic`)
 
@@ -120,15 +119,6 @@ cp vault.yml.example group_vars/all/vault.yml # copy template
 ansible-vault encrypt group_vars/all/vault.yml # encrypt file
 ```
 
-## 🔌 Port Forwarding
-
-To ensure remote access and proper functionality, configure the following port forwarding rules on your router. The playbook will automatically configure the server's firewall (UFW) based on these variables.
-
-```plaintext
-# WireGuard
-public:51820/udp -> local:51820/udp
-```
-
 ## 🛡️ Security
 
 ### 1. Add Your Host to Authorized Keys on the Raspberry Pi

deploy.yml

@@ -17,8 +17,6 @@
     - role: cloudflare_tunnel
       tags: cloudflare_tunnel
 
-    - role: wg_easy
-      tags: wg_easy
     - role: pocket_id
       tags: pocket_id
     - role: nextcloud

group_vars/all/main.yml

@@ -6,9 +6,6 @@ timezone: "Europe/Berlin" # TZ identifier from https://en.wikipedia.org/wiki/Lis
 data_base_dir: "/mnt/data"
 backup_base_dir: "/mnt/backup"
 service_base_dir: "~/services"
-allowed_ports:
-  - 53 # DNS
-  - 51820 # VPN
 
 # ── Service Configuration ─────────────────────────────────────────────
 # WARNING: modification of any ports won't work
@@ -112,12 +109,6 @@ services:
     domain: "vault.{{ domain }}"
     container_name: "vaultwarden"
     port: 80
-  # WireGuard Easy
-  wg_easy:
-    enabled: true
-    domain: "vpn.{{ domain }}"
-    container_name: "wg-easy"
-    port: 51821
   # wger
   wger:
     enabled: false

roles/glance/files/config/home.yml

@@ -70,9 +70,6 @@
                 - title: wger
                   url: https://wger.readthedocs.io
                   icon: di:wger
-                - title: WireGuard Easy
-                  url: https://wg-easy.github.io/wg-easy/latest
-                  icon: di:wireguard
                 - title: Yamtrack
                   url: https://github.com/FuzzyGrim/Yamtrack/wiki
                   icon: di:yamtrack
@@ -240,11 +237,6 @@
               icon: si:vaultwarden
               url: ${VAULTWARDEN_URL}
               description: Password Manager
-            wg-easy:
-              name: WireGuard Easy
-              icon: di:wireguard
-              url: ${WG_EASY_URL}
-              description: VPN
             wger-web:
               name: wger
               icon: di:wger
@@ -395,7 +387,6 @@
             - nextcloud/all-in-one
             - pocket-id/pocket-id
             - dani-garcia/vaultwarden
-            - wg-easy/wg-easy
             - wger-project/wger
             - FuzzyGrim/Yamtrack
             - nicotsx/zerobyte

roles/glance/templates/env.j2

@@ -18,7 +18,6 @@ N8N_URL=https://{{ services.n8n.domain }}
 NEXTCLOUD_URL=https://{{ services.nextcloud.domain }}
 POCKET_ID_URL=https://{{ services.pocket_id.domain }}
 VAULTWARDEN_URL=https://{{ services.vaultwarden.domain }}
-WG_EASY_URL=https://{{ services.wg_easy.domain }}
 WGER_URL=https://{{ services.wger.domain }}
 YAMTRACK_URL=https://{{ services.yamtrack.domain }}
 ZEROBYTE_URL=https://{{ services.zerobyte.domain }}

roles/ufw/tasks/main.yml

@@ -7,16 +7,45 @@
         name: ufw
         update_cache: true
 
-    - name: Set default UFW policy and enable firewall
+    - name: Set default policies
       community.general.ufw:
         state: enabled
-        policy: "{{ ufw_incoming_policy }}"
+
+    - name: Deny incoming
+      community.general.ufw:
+        policy: deny
         direction: incoming
 
-    - name: Allow incoming traffic on specified ports
+    - name: Deny routed (forward)
+      community.general.ufw:
+        policy: deny
+        direction: routed
+
+    - name: Allow outgoing
+      community.general.ufw:
+        policy: allow
+        direction: outgoing
+
+    - name: Allow incoming SSH traffic
+      community.general.ufw:
+        rule: allow
+        port: ssh
+
+    - name: Allow incoming SSH traffic
+      community.general.ufw:
+        rule: allow
+        port: ssh
+
+    - name: Allow incoming DNS traffic over TCP
+      community.general.ufw:
+        rule: allow
+        port: 53
+        proto: tcp
+      when: services.adguard_home.enabled
+
+    - name: Allow incoming DNS traffic over UDP
       community.general.ufw:
         rule: allow
-        port: "{{ item }}"
-      loop: "{{ allowed_ports }}"
-      loop_control:
-        label: "port {{ item }}"
+        port: 53
+        proto: udp
+      when: services.adguard_home.enabled