Create UFW services(on normal method, wo import fabric)

Author: trapplus

app/interfaces/cli/run.py

@@ -82,4 +82,3 @@ def docker_interactive_run(self):
                 print("Неверный ввод")
                 # overload
                 self.docker_interactive_run()
-

app/services/distro/arch/docker.py

@@ -2,10 +2,11 @@
 
 from app.utils.subprocess_utils import run_commands
 
+
 class DockerService:
     def __init__(self) -> None:
         self.status: bool = True if which("docker") else False
-    
+
     def install(self):
         run_commands(
             [
@@ -14,7 +15,7 @@ def install(self):
                 ["systemctl", "start", "docker"],
             ]
         )
-    
+
     def uninstall(self):
         run_commands(
             [
@@ -24,4 +25,4 @@ def uninstall(self):
                 ["rm", "-rf", "/var/lib/docker"],
                 ["rm", "-rf", "/var/lib/containerd"],
             ]
-        )
+        )

app/services/distro/arch/ufw.py

@@ -0,0 +1,77 @@
+import time
+from subprocess import run
+
+from app.services.ufw import UFWService
+from app.utils.subprocess_utils import run_commands
+
+
+class ArchUFWService(UFWService):
+    def __init__(self):
+        super().__init__()
+        self.package_manager = "pacman"
+
+    def install(self):
+        print("Installing UFW for Arch Linux...")
+
+        run_commands([[self.package_manager, "-Sy", "--noconfirm", "ufw"]])
+
+        run_commands(
+            [
+                ["ufw", "default", "deny", "incoming"],
+                ["ufw", "default", "allow", "outgoing"],
+            ]
+        )
+
+        for action, port, description in self.default_rules:
+            print(f"Adding rule: {action} {port} ({description})")
+            run_commands([["ufw", action, port, "comment", description]])
+
+        run_commands(
+            [
+                ["systemctl", "enable", "ufw"],
+                ["systemctl", "start", "ufw"],
+            ]
+        )
+
+        run_commands([["ufw", "--force", "enable"]])
+
+        self._wait_for_status("active")
+
+        run_commands(
+            [
+                ["ufw", "status", "verbose"],
+                ["systemctl", "status", "ufw"],
+            ]
+        )
+
+        print("UFW successfully installed and configured")
+
+    def uninstall(self):
+        print("Uninstalling UFW for Arch Linux...")
+
+        run_commands([["ufw", "--force", "disable"]])
+
+        run_commands(
+            [
+                ["systemctl", "stop", "ufw"],
+                ["systemctl", "disable", "ufw"],
+            ]
+        )
+
+        self._wait_for_status("inactive")
+
+        run_commands([[self.package_manager, "-Rns", "--noconfirm", "ufw"]])
+
+        print("UFW successfully uninstalled")
+
+    def _check_service_status(self, expected_status: str) -> bool:
+        result = run(["systemctl", "is-active", "ufw"], text=True, capture_output=True)
+        return result.stdout.strip() == expected_status
+
+    def _wait_for_status(self, expected_status: str, timeout: int = 10):
+        start_time = time.time()
+        while time.time() - start_time < timeout:
+            if self._check_service_status(expected_status):
+                return
+            time.sleep(0.5)
+        print(f"Warning: failed to reach status '{expected_status}'")

app/services/distro/debian/fail2ban.py

@@ -1,11 +1,11 @@
 import time
 from subprocess import run
+
 from app.utils.subprocess_utils import run_commands
 
 
 class Fail2BanService:
     def __init__(self):
-
         self.path_to_jail_config = "/etc/fail2ban/jail.d/sshd.local"
         self.jail_str_config = """
 [sshd]

app/services/distro/debian/ufw.py

@@ -0,0 +1,72 @@
+import time
+from subprocess import run
+
+from app.services.ufw import UFWService
+from app.utils.subprocess_utils import run_commands
+
+
+class DebianUFWService(UFWService):
+    def __init__(self):
+        super().__init__()
+        self.package_manager = "apt"
+
+    def install(self):
+        print("Installing UFW for Debian/Ubuntu...")
+
+        run_commands([[self.package_manager, "update"]])
+        run_commands([[self.package_manager, "install", "ufw", "-y"]])
+
+        run_commands(
+            [
+                ["ufw", "default", "deny", "incoming"],
+                ["ufw", "default", "allow", "outgoing"],
+            ]
+        )
+
+        for action, port, description in self.default_rules:
+            print(f"Adding rule: {action} {port} ({description})")
+            run_commands([["ufw", action, port, "comment", description]])
+
+        run_commands([["ufw", "--force", "enable"]])
+
+        self._wait_for_status("active")
+
+        run_commands(
+            [
+                ["ufw", "status", "verbose"],
+                ["systemctl", "status", "ufw"],
+            ]
+        )
+
+        print("UFW successfully installed and configured")
+
+    def uninstall(self):
+        print("Uninstalling UFW for Debian/Ubuntu...")
+
+        run_commands([["ufw", "--force", "disable"]])
+
+        self._wait_for_status("inactive")
+
+        run_commands(
+            [
+                ["systemctl", "stop", "ufw"],
+                ["systemctl", "disable", "ufw"],
+            ]
+        )
+
+        run_commands([[self.package_manager, "remove", "ufw", "-y"]])
+        run_commands([[self.package_manager, "autoremove", "-y"]])
+
+        print("UFW successfully uninstalled")
+
+    def _check_service_status(self, expected_status: str) -> bool:
+        result = run(["systemctl", "is-active", "ufw"], text=True, capture_output=True)
+        return result.stdout.strip() == expected_status
+
+    def _wait_for_status(self, expected_status: str, timeout: int = 10):
+        start_time = time.time()
+        while time.time() - start_time < timeout:
+            if self._check_service_status(expected_status):
+                return
+            time.sleep(0.5)
+        print(f"Warning: failed to reach status '{expected_status}'")

app/services/distro/wrt/fail2ban.py

@@ -1,11 +1,11 @@
 import time
 from subprocess import run
+
 from app.utils.subprocess_utils import run_commands
 
 
 class Fail2BanService:
     def __init__(self):
-
         self.path_to_jail_config = "/etc/fail2ban/jail.d/sshd.local"
         self.jail_str_config = """
 [sshd]

app/services/distro/wrt/ufw.py

@@ -0,0 +1,98 @@
+import time
+from subprocess import run
+
+from app.services.ufw import UFWService
+from app.utils.subprocess_utils import run_commands
+
+
+class WrtUFWService(UFWService):
+    def __init__(self):
+        super().__init__()
+
+    def install(self):
+        print("OpenWrt uses built-in firewall")
+        print("Configuring firewall for OpenWrt...")
+
+        fw_version = self._detect_firewall_version()
+
+        if fw_version == "fw4":
+            self._configure_fw4()
+        else:
+            self._configure_fw3()
+
+        run_commands([["/etc/init.d/firewall", "restart"]])
+
+        self._wait_for_status("running")
+
+        run_commands(
+            [
+                ["/etc/init.d/firewall", "status"],
+                ["iptables", "-L", "-n", "-v"],
+            ]
+        )
+
+        print("Firewall successfully configured")
+
+    def uninstall(self):
+        print("Cannot remove built-in OpenWrt firewall")
+        print("Resetting firewall to default settings...")
+
+        run_commands(
+            [
+                ["uci", "revert", "firewall"],
+                ["uci", "commit", "firewall"],
+                ["/etc/init.d/firewall", "restart"],
+            ]
+        )
+
+        print("Firewall reset to default settings")
+
+    def _detect_firewall_version(self) -> str:
+        result = run(["which", "fw4"], capture_output=True)
+        return "fw4" if result.returncode == 0 else "fw3"
+
+    def _configure_fw3(self):
+        print("Configuring fw3...")
+
+        commands = [
+            ["uci", "set", "firewall.ssh=rule"],
+            ["uci", "set", "firewall.ssh.name=Allow-SSH"],
+            ["uci", "set", "firewall.ssh.src=wan"],
+            ["uci", "set", "firewall.ssh.proto=tcp"],
+            ["uci", "set", "firewall.ssh.dest_port=22"],
+            ["uci", "set", "firewall.ssh.target=ACCEPT"],
+            ["uci", "set", "firewall.http=rule"],
+            ["uci", "set", "firewall.http.name=Allow-HTTP"],
+            ["uci", "set", "firewall.http.src=wan"],
+            ["uci", "set", "firewall.http.proto=tcp"],
+            ["uci", "set", "firewall.http.dest_port=80"],
+            ["uci", "set", "firewall.http.target=ACCEPT"],
+            ["uci", "set", "firewall.https=rule"],
+            ["uci", "set", "firewall.https.name=Allow-HTTPS"],
+            ["uci", "set", "firewall.https.src=wan"],
+            ["uci", "set", "firewall.https.proto=tcp"],
+            ["uci", "set", "firewall.https.dest_port=443"],
+            ["uci", "set", "firewall.https.target=ACCEPT"],
+            ["uci", "commit", "firewall"],
+        ]
+
+        run_commands(commands)
+
+    def _configure_fw4(self):
+        print("Configuring fw4...")
+        self._configure_fw3()
+
+    def _check_service_status(self, expected_status: str) -> bool:
+        result = run(["/etc/init.d/firewall", "status"], capture_output=True, text=True)
+        if expected_status == "running":
+            return result.returncode == 0
+        else:
+            return result.returncode != 0
+
+    def _wait_for_status(self, expected_status: str, timeout: int = 10):
+        start_time = time.time()
+        while time.time() - start_time < timeout:
+            if self._check_service_status(expected_status):
+                return
+            time.sleep(0.5)
+        print(f"Warning: failed to reach status '{expected_status}'")

app/services/docker.py

@@ -11,4 +11,4 @@
 else:
     raise OSError("Unsuported distro!")
 
-dockerservice = DockerService()
+dockerservice = DockerService()

app/services/fail2ban.py

@@ -11,4 +11,4 @@
 else:
     raise OSError("Unsuported distro!")
 
-fail2banservice = Fail2BanService()
+fail2banservice = Fail2BanService()

app/services/ufw.py

@@ -0,0 +1,63 @@
+from abc import ABC, abstractmethod
+
+from app.utils import sysinfo_utils
+
+
+class UFWService(ABC):
+    """Base class for UFW management"""
+
+    def __init__(self):
+        self.default_rules = [
+            ("allow", "22/tcp", "SSH"),
+            ("allow", "80/tcp", "HTTP"),
+            ("allow", "443/tcp", "HTTPS"),
+        ]
+
+    @abstractmethod
+    def install(self):
+        """Install UFW"""
+        pass
+
+    @abstractmethod
+    def uninstall(self):
+        """Uninstall UFW"""
+        pass
+
+    @abstractmethod
+    def _check_service_status(self, expected_status: str) -> bool:
+        """Check service status"""
+        pass
+
+    @staticmethod
+    def create():
+        """Factory method to create instance based on OS"""
+        __os: str | None = sysinfo_utils.detect_distro().lower()
+
+        if __os == "debian":
+            from app.services.distro.debian.ufw import DebianUFWService
+
+            return DebianUFWService()
+        elif __os == "arch":
+            from app.services.distro.arch.ufw import ArchUFWService
+
+            return ArchUFWService()
+        elif __os == "openwrt":
+            from app.services.distro.wrt.ufw import WrtUFWService
+
+            return WrtUFWService()
+        else:
+            raise OSError(f"Unsupported distro: {__os}")
+
+    @staticmethod
+    def is_supported() -> bool:
+        """Check if current OS is supported"""
+        try:
+            __os = sysinfo_utils.detect_distro().lower()
+            return __os in ["debian", "arch", "openwrt"]
+        except Exception:
+            return False
+
+    @staticmethod
+    def get_distro() -> str:
+        """Get current distribution"""
+        return sysinfo_utils.detect_distro().lower()