Configure UFW Firewall

Implement UFW firewall configuration in the `ConfigureCommand` with comprehensive SSH lockout prevention. This task adds firewall security while ensuring SSH access is preserved through careful configuration sequencing and port management.

This is the second phase of system security configuration, following the security updates implementation. It has higher risk due to potential SSH lockout scenarios.

## Goals

- [ ] **UFW Firewall Active**: Configure UFW with restrictive default policies
- [ ] **SSH Access Preserved**: Maintain SSH connectivity throughout configuration
- [ ] **Configurable SSH Port**: Support custom SSH ports from user configuration
- [ ] **New Domain Step**: Add `ConfigureFirewall` to the `ConfigureStep` enum  
- [ ] **Ansible Integration**: Create Tera template for SSH port resolution
- [ ] **Safety First**: Comprehensive SSH lockout prevention measures
- [ ] **Testing**: Extensive E2E testing with SSH connectivity validation

## Specifications

### Safety-First Implementation

**Critical Requirements:**
1. **Allow SSH BEFORE enabling firewall** - Never enable UFW before SSH rules are in place
2. **Use configured SSH port** - Support `user_inputs.ssh_port` (defaults to 22)
3. **Dual SSH protection** - Allow both port number and SSH service name
4. **Verify SSH access** - Confirm SSH rules are active before completing

### Domain Integration

Update `ConfigureStep` enum in `src/domain/environment/state/configure_failed.rs`:

```rust
/// Steps in the configure workflow  
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum ConfigureStep {
    /// Installing Docker
    InstallDocker,
    /// Installing Docker Compose  
    InstallDockerCompose,
    /// Configuring automatic security updates
    ConfigureSecurityUpdates,
    /// Configuring UFW firewall
    ConfigureFirewall,  // <- NEW
}
```

### New Application Step

Create `src/application/steps/system/configure_firewall.rs`:
- Implements ConfigureFirewallStep with SSH port variable resolution
- Uses AnsibleClient with Tera template for dynamic SSH port
- Comprehensive error handling for SSH lockout scenarios
- Follows established patterns while handling template variables

### New Ansible Template

Create `templates/ansible/configure-firewall.yml.tera` (Tera template for SSH port):
- Reset UFW to clean state
- Set restrictive default policies (deny incoming, allow outgoing)
- **CRITICALLY**: Allow SSH on `{{ ssh_port }}` BEFORE enabling firewall
- Allow SSH service by name as additional safety measure
- Enable UFW only after SSH rules are confirmed
- Verify SSH access is preserved

## Implementation Approach

This is a **higher risk** implementation that:
- Requires Tera template for SSH port variable resolution
- Must prevent SSH lockout through careful sequencing
- Needs comprehensive testing with SSH connectivity validation
- Follows the template pattern similar to inventory.yml.tera

## Acceptance Criteria

- [ ] **UFW Firewall Enabled**: UFW is active with restrictive default policies
- [ ] **SSH Access Maintained**: SSH connectivity preserved on configured port  
- [ ] **Port Configuration**: Uses `user_inputs.ssh_port` value correctly
- [ ] **Domain Integration**: ConfigureFirewall step properly integrated
- [ ] **SSH Lockout Prevention**: No scenario causes SSH access loss
- [ ] **Template Resolution**: SSH port variable correctly resolved in Tera template
- [ ] **Error Handling**: Clear, actionable error messages for firewall failures
- [ ] **Tests Pass**: All existing tests continue to pass
- [ ] **E2E Validation**: E2E tests confirm firewall is active AND SSH works
- [ ] **Safety Verification**: SSH rules verified before firewall activation

## Dependencies

**Depends On**: #17 (Configure Automatic Security Updates)
**Parent Epic**: #16 - Finish ConfigureCommand - System Security Configuration

## Risk Assessment

**Medium Risk** due to:
- Potential SSH lockout if improperly sequenced
- Network-level changes affecting remote access
- Tera template complexity for SSH port resolution

**Mitigation Strategies**:
- Comprehensive E2E testing with SSH verification
- Careful implementation sequencing (SSH rules before firewall activation)
- Detailed error handling for SSH connectivity issues
- Multiple safety checks and verification steps

**Estimated Effort**: 2-3 days

Full specification: [UFW Firewall Documentation](https://github.com/torrust/torrust-tracker-deployer/blob/main/docs/issues/18-configure-ufw-firewall.md)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure UFW Firewall #18

Goals

Specifications

Safety-First Implementation

Domain Integration

New Application Step

New Ansible Template

Implementation Approach

Acceptance Criteria

Dependencies

Risk Assessment

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Configure UFW Firewall #18

Description

Goals

Specifications

Safety-First Implementation

Domain Integration

New Application Step

New Ansible Template

Implementation Approach

Acceptance Criteria

Dependencies

Risk Assessment

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions