[EPIC] Finish ConfigureCommand - System Security Configuration

[josecelano]

This Epic completes the ConfigureCommand implementation by adding system security configuration capabilities. After establishing the foundational architecture and Docker installation in previous work, this Epic focuses specifically on system-level security hardening through three key areas:

Goals

1. Automatic Security Updates - Configure unattended-upgrades for automated security patch management
2. UFW Firewall Configuration - Implement network-level security with safe SSH access preservation
3. Template Architecture Refinement - Consolidate Ansible templates into a centralized variables pattern

This Epic provides immediate production value by securing deployed instances with industry-standard security practices, while also establishing a clean architectural foundation for future service additions.

Implementation Strategy

Phase 1: Automatic Security Updates (#17)

Estimated Time: 1-2 days

• Lower risk implementation that configures unattended-upgrades for automatic security patching
• Install and configure unattended-upgrades package
• Enable automatic reboots at 2:00 AM for security updates
• Configure update notifications and logging

Phase 2: UFW Firewall Configuration (#18)

Estimated Time: 2-3 days

• Higher risk implementation requiring careful SSH access handling
• Reset UFW to clean state
• Configure restrictive default policies (deny incoming, allow outgoing)
• CRITICALLY: Allow SSH access BEFORE enabling firewall
• Use configurable SSH port from user_inputs.ssh_port

Phase 3: Template Architecture Refinement (#19)

Estimated Time: 1-2 days

• Architectural cleanup and consistency improvement
• Consolidate 2 Tera templates into 1 centralized variables pattern
• Create variables.yml.tera matching OpenTofu's approach
• Convert inventory.yml.tera and configure-firewall.yml.tera to static files
• Establish consistent pattern for future service additions

Architecture Impact

Domain Changes Required

The ConfigureStep enum in src/domain/environment/state/configure_failed.rs needs to be extended:

/// Steps in the configure workflow
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum ConfigureStep {
    /// Installing Docker
    InstallDocker,
    /// Installing Docker Compose
    InstallDockerCompose,
    /// Configuring automatic security updates
    ConfigureSecurityUpdates,
    /// Configuring UFW firewall
    ConfigureFirewall,
}

New Application Steps

Two new step implementations required:

• src/application/steps/system/configure_security_updates.rs
• src/application/steps/system/configure_firewall.rs

New Ansible Templates

Two new Ansible playbook templates:

• templates/ansible/configure-security-updates.yml (static)
• templates/ansible/configure-firewall.yml.tera (dynamic - requires SSH port resolution)

Acceptance Criteria

• Security Updates: Instances automatically install security updates and reboot when needed
• Firewall Active: UFW firewall is enabled with restrictive default policies
• SSH Access Maintained: SSH access continues to work on configured port
• Domain Integration: New steps properly integrated into ConfigureStep enum
• Template Consistency: Ansible templates use centralized variables pattern matching OpenTofu
• Reduced Complexity: Only one Tera template (variables.yml.tera) needs variable processing
• Error Handling: Comprehensive error handling with actionable messages
• Tests Pass: All existing tests continue to pass
• E2E Validation: Full E2E tests validate the new configurations
• Backward Compatibility: Existing functionality remains unchanged

Related

Roadmap: Task 3.1 - Finish ConfigureCommand
Related Issues: #1 (Roadmap)

Total Estimated Effort: 4-7 days

Full specification: Epic Documentation