From 96567c54dc2a7c7f75f3828b04262c8d60fae9ff Mon Sep 17 00:00:00 2001
From: Yann Autissier <yann.autissier@gmail.com>
Date: Fri, 18 Nov 2022 14:01:16 +0000
Subject: [PATCH] ufw rules

---
 make/apps/common.mk       |  4 ++--
 make/apps/def.docker.mk   |  6 ++++--
 make/apps/myos/def.ufw.mk |  6 ++++++
 make/apps/myos/ufw.mk     | 32 ++++++++++++++++++++++++++++++++
 make/def.app.mk           |  2 +-
 make/def.mk               |  4 ++--
 stack/node.mk             |  2 +-
 stack/node/.env.dist      |  3 +++
 stack/node/ipfs/.env.dist |  1 +
 stack/node/mail/.env.dist |  1 +
 10 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/make/apps/common.mk b/make/apps/common.mk
index a1bc050..a872074 100644
--- a/make/apps/common.mk
+++ b/make/apps/common.mk
@@ -70,7 +70,7 @@ deploy: $(if $(filter $(ENV),$(ENV_DEPLOY)),deploy-localhost,deploy@$(ENV)) ## D
 # target down: Remove application dockers
 # on local host
 .PHONY: down
-down: docker-compose-down ## Remove application dockers
+down: docker-compose-down ufw-delete ## Remove application dockers
 
 # target exec: Exec ARGS in docker SERVICE
 # on local host
@@ -213,7 +213,7 @@ tests: app-tests ## Test application
 # target up: Create and start application dockers
 # on local host
 .PHONY: up
-up: docker-compose-up app-start ## Create application dockers
+up: docker-compose-up ufw-update app-start ## Create application dockers
 
 # target update app-update: Update application files
 # on local host
diff --git a/make/apps/def.docker.mk b/make/apps/def.docker.mk
index fed62b1..23d4fe8 100644
--- a/make/apps/def.docker.mk
+++ b/make/apps/def.docker.mk
@@ -82,13 +82,15 @@ endef
 define docker-compose
 	$(call INFO,docker-compose,$(1))
 	$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
-	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))) $(1)))
+	$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
+	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1)))
 endef
 # function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1
 define docker-compose-exec-sh
 	$(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2))
 	$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
-	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))) exec -T $(1) sh -c '$(2)'))
+	$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
+	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)'))
 endef
 # function docker-push: Push docker image
 define docker-push
diff --git a/make/apps/myos/def.ufw.mk b/make/apps/myos/def.ufw.mk
index 731881f..615382b 100644
--- a/make/apps/myos/def.ufw.mk
+++ b/make/apps/myos/def.ufw.mk
@@ -1,14 +1,20 @@
 CMDARGS                         += ufw ufw-docker
+UFW_UPDATE                      ?= $(or $(SERVICE),$(DOCKER_SERVICES))
 
 ifeq ($(SETUP_UFW),true)
+
+# function ufw: Exec command ufw with args 1
 define ufw
 	$(call INFO,ufw,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
 	$(call app-exec,,ufw $(1))
 endef
+
+# function ufw-docker: Exec command ufw-docker with args 1
 define ufw-docker
 	$(call INFO,ufw-docker,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
 	$(call app-exec,,ufw-docker $(1))
 endef
+
 endif
diff --git a/make/apps/myos/ufw.mk b/make/apps/myos/ufw.mk
index 22051b6..942300b 100644
--- a/make/apps/myos/ufw.mk
+++ b/make/apps/myos/ufw.mk
@@ -1,5 +1,37 @@
+# target ufw: Call ufw ARGS
+.PHONY: ufw
 ufw:
 	$(call ufw,$(ARGS))
 
+# target ufw-delete: Fire ufw-update UFW_DELETE=true
+.PHONY: ufw-delete
+ufw-delete: UFW_DELETE := true
+ufw-delete: ufw-update
+
+# target ufw-docker: Call ufw-docker ARGS
+.PHONY: ufw-docker
 ufw-docker:
 	$(call ufw-docker,$(ARGS))
+
+# target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE
+.PHONY: ufw-update
+ufw-update:
+	$(foreach update,$(UFW_UPDATE), \
+	  $(foreach port,$(UFW_DOCKER_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
+	    $(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(DOCKER_COMPOSE_PROJECT_NAME)-$(update) $(port)) \
+	  ) \
+	  $(foreach port,$(UFW_UPDATE_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
+	    $(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \
+	  ) \
+	)
+
+## ex: ufw-node-up will update ufw rules for stack node
+.PHONY: stack-%
+ufw-%:
+	$(eval stack   := $(subst -$(lastword $(subst -, ,$*)),,$*))
+	$(eval command := $(lastword $(subst -, ,$*)))
+	$(if $(findstring -,$*), \
+	  $(if $(filter ufw-$(command),$(MAKE_TARGETS)), \
+	    $(call make,ufw-$(command) STACK="$(stack)") \
+	  ) \
+	)
diff --git a/make/def.app.mk b/make/def.app.mk
index d0295cf..efc696c 100644
--- a/make/def.app.mk
+++ b/make/def.app.mk
@@ -39,7 +39,7 @@ define app-docker
 	$(eval dir              := $(or $(APP_DIR)))
 	$(eval dockerfile       := $(or $(1)))
 	$(if $(wildcard $(dockerfile)),
-	  $(eval service        := $(or $(SERVICE),$(subst .,,$(call LOWERCASE,$(lastword $(subst /, ,$(patsubst %/Dockerfile,%,$(dockerfile)))))),undefined))
+	  $(eval service        := $(or $(DOCKER_SERVICE),$(subst .,,$(call LOWERCASE,$(lastword $(subst /, ,$(patsubst %/Dockerfile,%,$(dockerfile)))))),undefined))
 	  $(eval docker         := ${COMPOSE_SERVICE_NAME}-$(service))
 	  $(eval DOCKER_IMAGE   := $(DOCKER_REPOSITORY)/$(service):$(DOCKER_IMAGE_TAG))
 	  $(eval DOCKER_LABELS  := SERVICE_NAME=$(docker) SERVICE_TAGS=urlprefix-$(service).$(APP_DOMAIN)/$(APP_PATH))
diff --git a/make/def.mk b/make/def.mk
index ec52b68..2d55f71 100644
--- a/make/def.mk
+++ b/make/def.mk
@@ -50,7 +50,7 @@ DRYRUN_RECURSIVE                ?= false
 ELAPSED_TIME                     = $(shell $(call TIME))
 ENV                             ?= master
 ENV_ARGS                        ?= $(env_args)
-ENV_FILE                        ?= $(wildcard $(CONFIG)/$(ENV)/$(APP)/.env .env)
+ENV_FILE                        ?= $(wildcard $(if $(filter-out myos,$(MYOS)),$(MONOREPO_DIR)/.env) $(CONFIG)/$(ENV)/$(APP)/.env .env)
 ENV_LIST                        ?= $(shell ls .git/refs/heads/ 2>/dev/null)
 ENV_RESET                       ?= false
 ENV_VARS                        ?= APP BRANCH DOMAIN ENV HOME HOSTNAME GID GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME GROUP MONOREPO MONOREPO_DIR TAG UID USER VERSION
@@ -251,7 +251,7 @@ define env-run
 endef
 
 # function make: Call make with predefined options and variables
-    # 1st arg: make command line (targets and arguments)
+	# 1st arg: make command line (targets and arguments)
 	# 2nd arg: directory to call make from
 	# 3rd arg: list of variables to pass to make (ENV by default)
 	# 4th arg: path to .env file with additional arguments to call make with (file must exist when calling make)
diff --git a/stack/node.mk b/stack/node.mk
index 0063533..d8b0e24 100644
--- a/stack/node.mk
+++ b/stack/node.mk
@@ -1,5 +1,5 @@
 CMDARGS                         += node-exec stack-node-exec node-exec:% node-exec@% node-run node-run:% node-run@%
-node                            ?= node/autoheal node/certbot node/consul node/fabio node/registrator
+node                            ?= $(patsubst stack/%,%,$(patsubst %.yml,%,$(wildcard stack/node/*.yml)))
 ENV_VARS                        += DOCKER_HOST_IFACE DOCKER_HOST_INET4 DOCKER_INTERNAL_DOCKER_HOST
 SETUP_LETSENCRYPT               ?=
 
diff --git a/stack/node/.env.dist b/stack/node/.env.dist
index 67b2adc..71ae971 100644
--- a/stack/node/.env.dist
+++ b/stack/node/.env.dist
@@ -2,3 +2,6 @@ NODE_CONSUL_ACL_TOKENS_MASTER=01234567-89AB-CDEF-0123-456789ABCDEF
 NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF
 NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/
 NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/
+UFW_UPDATE_node-certbot=53/udp
+UFW_UPDATE_node-consul=8500
+UFW_DOCKER_node-fabio=80 443
diff --git a/stack/node/ipfs/.env.dist b/stack/node/ipfs/.env.dist
index 61c018c..c587b37 100644
--- a/stack/node/ipfs/.env.dist
+++ b/stack/node/ipfs/.env.dist
@@ -7,3 +7,4 @@ NODE_IPFS_PUBSUB_ROUTER=gossipsub
 NODE_IPFS_ROUTING_TYPE=dht
 NODE_IPFS_SERVICE_8080_CHECK_HTTP=/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme
 NODE_IPFS_SERVICE_8080_TAGS=urlprefix-ipfs.${DOMAIN}/
+UFW_DOCKER_node-ipfs=4001/tcp 4001/udp 8080
diff --git a/stack/node/mail/.env.dist b/stack/node/mail/.env.dist
index 1c4ca23..3a300b8 100644
--- a/stack/node/mail/.env.dist
+++ b/stack/node/mail/.env.dist
@@ -2,3 +2,4 @@ NODE_MAILSERVER_ENABLE_MANAGESIEVE=1
 NODE_MAILSERVER_SPOOF_PROTECTION=1
 NODE_MAILSERVER_SSL_TYPE=letsencrypt
 NODE_MAILSERVER_UPDATE_CHECK=0
+UFW_DOCKER_node-mailserver=25 465 587 993