Merge pull request #992 from qdentity/fix-ufw-ssh-lockout

konstruktoid · web-flow · commit b878c0da5c6f · 2025-09-12T12:54:39.000+02:00
Fix ufw ssh lockout
diff --git a/tasks/ufw.yml b/tasks/ufw.yml
@@ -74,13 +74,15 @@
     'deny (outgoing)' not in ufw_status.stdout or
     'disabled (routed)' not in ufw_status.stdout
   block:
-    - name: Enable UFW service
-      ansible.builtin.systemd_service:
-        name: ufw
-        enabled: true
-        state: started
-      when:
-        - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
+    - name: Allow sshd port from administrator networks
+      community.general.ufw:
+        rule: "{{ 'limit' if ufw_rate_limit else 'allow' }}"
+        from_ip: "{{ item.0 }}"
+        to_port: "{{ item.1 | int }}"
+        proto: tcp
+        comment: ansible managed
+        state: enabled
+      loop: "{{ sshd_admin_net | product(sshd_ports) | list }}"
 
     - name: Set default deny
       community.general.ufw:
@@ -94,6 +96,14 @@
         - incoming
         - outgoing
 
+    - name: Enable and start the UFW service
+      ansible.builtin.systemd_service:
+        name: ufw
+        enabled: true
+        state: started
+      when:
+        - ansible_facts.virtualization_type not in ["container", "docker", "podman"]
+
 - name: Stat UFW rules
   become: true
   ansible.builtin.shell:
@@ -119,15 +129,6 @@
       when:
         - ufw_rate_limit
 
-    - name: Allow sshd port from administrator networks
-      community.general.ufw:
-        rule: limit
-        from_ip: "{{ item.0 }}"
-        to_port: "{{ item.1 | int }}"
-        proto: tcp
-        comment: ansible managed
-      loop: "{{ sshd_admin_net | product(sshd_ports) | list }}"
-
     - name: Allow outgoing specified ports
       community.general.ufw:
         rule: allow
