Hello everyone,
I would like to share an Ansible-based setup for Ingress hardening and firewall automation in my homelab and kindly ask for constructive feedback from the community.
The main goal was to establish a clearly scoped, reproducible, and tested reference state for a single Internet-facing Ingress host.
Focus areas
- Firewall hardening using nftables (default-deny, explicit allow rules)
- Reverse proxy (nginx) as the single external entry point
- Clear separation between Ingress security and application behavior
- Practical testing of allowed and disallowed access
(HTTP/HTTPS, sensitive paths, HTTP methods) - Documentation of decisions and consciously accepted trade-offs
Repository
All automation and documentation can be found here:
https://github.com/gatonero/homelab-ansible
Motivation
The intent was not “maximum hardening at all costs”, but rather:
- a stable and maintainable setup,
- explicitly reasoned security decisions,
- and a clean, reproducible Ansible implementation.
I would appreciate any feedback, suggestions, or alternative approaches, especially regarding best practices for Ingress hardening with Ansible.
Thank you for your time and insights.