From b36a1c44e58e5fc4b1ae32ce854b9db2bf6fae1a Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Tue, 16 Jun 2026 14:51:07 +0800
Subject: [PATCH] fix(firewall): allow ssh http https ingress

---
 roles/vhosts/common/defaults/main.yml        | 2 ++
 roles/vhosts/common/tasks/firewall_ports.yml | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/roles/vhosts/common/defaults/main.yml b/roles/vhosts/common/defaults/main.yml
index 7751c6d..ab58e9e 100644
--- a/roles/vhosts/common/defaults/main.yml
+++ b/roles/vhosts/common/defaults/main.yml
@@ -21,9 +21,11 @@ enable_common: true
 
 common_firewall:
   enabled: true
+  ssh_port: 22
   http_port: 80
   https_port: 443
   allow_comments:
+    ssh: XWorkmate SSH
     http: XWorkmate HTTP
     https: XWorkmate HTTPS
 
diff --git a/roles/vhosts/common/tasks/firewall_ports.yml b/roles/vhosts/common/tasks/firewall_ports.yml
index 44e6a91..ab77c82 100644
--- a/roles/vhosts/common/tasks/firewall_ports.yml
+++ b/roles/vhosts/common/tasks/firewall_ports.yml
@@ -9,12 +9,13 @@
     path: /usr/bin/firewall-cmd
   register: common_firewall_firewalld_binary
 
-- name: Common | allow HTTP/HTTPS through UFW
+- name: Common | allow SSH/HTTP/HTTPS through UFW
   ansible.builtin.command: "ufw allow {{ item.port }}/{{ item.protocol }}"
   register: common_firewall_ufw_allow
   changed_when: "'Skipping adding existing rule' not in (common_firewall_ufw_allow.stdout | default(''))"
   failed_when: common_firewall_ufw_allow.rc != 0
   loop:
+    - { port: "{{ common_firewall.ssh_port | default(22) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.ssh | default('XWorkmate SSH') }}" }
     - { port: "{{ common_firewall.http_port | default(80) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.http | default('XWorkmate HTTP') }}" }
     - { port: "{{ common_firewall.https_port | default(443) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.https | default('XWorkmate HTTPS') }}" }
   when:
@@ -22,13 +23,14 @@
     - common_firewall_ufw_binary.stat.exists | default(false)
   become: true
 
-- name: Common | allow HTTP/HTTPS through firewalld
+- name: Common | allow SSH/HTTP/HTTPS through firewalld
   ansible.posix.firewalld:
     port: "{{ item.port }}/{{ item.protocol }}"
     permanent: true
     immediate: true
     state: enabled
   loop:
+    - { port: "{{ common_firewall.ssh_port | default(22) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.ssh | default('XWorkmate SSH') }}" }
     - { port: "{{ common_firewall.http_port | default(80) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.http | default('XWorkmate HTTP') }}" }
     - { port: "{{ common_firewall.https_port | default(443) }}", protocol: tcp, comment: "{{ common_firewall.allow_comments.https | default('XWorkmate HTTPS') }}" }
   when:
@@ -40,7 +42,7 @@
 - name: Common | explain firewall handling
   ansible.builtin.debug:
     msg: >-
-      HTTP/HTTPS firewall handling completed or skipped on {{ inventory_hostname }}.
+      SSH/HTTP/HTTPS firewall handling completed or skipped on {{ inventory_hostname }}.
       UFW={{ common_firewall_ufw_binary.stat.exists | default(false) }},
       firewalld={{ common_firewall_firewalld_binary.stat.exists | default(false) }}.
   when: