refactor: [#248] remove obsolete UFW tracker firewall configuration

- Delete configure-tracker-firewall.yml playbook (Docker bypasses UFW)
- Delete ConfigureTrackerFirewallStep implementation
- Remove step from configure command handler
- Update ConfigureStep enum (remove ConfigureTrackerFirewall variant)
- Update base firewall playbook with security comments explaining Docker/UFW interaction
- Add ADR reference to system module documentation

Since Docker bypasses UFW rules for published container ports, application
port firewall rules in UFW are ineffective. Service exposure is controlled
via Docker port bindings in docker-compose, not through UFW.

UFW is now simplified to its actual effective scope: SSH access only.

See ADR: docs/decisions/docker-ufw-firewall-security-strategy.md

Related: #248

Author: josecelano

src/application/command_handlers/configure/handler.rs

@@ -8,8 +8,8 @@ use super::errors::ConfigureCommandHandlerError;
 use crate::adapters::ansible::AnsibleClient;
 use crate::application::command_handlers::common::StepResult;
 use crate::application::steps::{
-    ConfigureFirewallStep, ConfigureSecurityUpdatesStep, ConfigureTrackerFirewallStep,
-    InstallDockerComposeStep, InstallDockerStep,
+    ConfigureFirewallStep, ConfigureSecurityUpdatesStep, InstallDockerComposeStep,
+    InstallDockerStep,
 };
 use crate::domain::environment::repository::{EnvironmentRepository, TypedEnvironmentRepository};
 use crate::domain::environment::state::{ConfigureFailureContext, ConfigureStep};
@@ -202,22 +202,6 @@ impl ConfigureCommandHandler {
                 .map_err(|e| (e.into(), current_step))?;
         }
 
-        let current_step = ConfigureStep::ConfigureTrackerFirewall;
-        // Configure tracker-specific firewall rules (conditional on tracker configuration)
-        // If no tracker ports are configured in variables.yml, playbook tasks will be skipped
-        if skip_firewall {
-            info!(
-                command = "configure",
-                step = "configure_tracker_firewall",
-                status = "skipped",
-                "Skipping Tracker firewall configuration due to TORRUST_TD_SKIP_FIREWALL_IN_CONTAINER"
-            );
-        } else {
-            ConfigureTrackerFirewallStep::new(Arc::clone(&ansible_client))
-                .execute()
-                .map_err(|e| (e.into(), current_step))?;
-        }
-
         // Transition to Configured state
         let configured = environment.clone().configured();
 

src/application/steps/mod.rs

@@ -38,10 +38,7 @@ pub use rendering::{
     RenderDockerComposeTemplatesStep, RenderOpenTofuTemplatesStep,
 };
 pub use software::{InstallDockerComposeStep, InstallDockerStep};
-pub use system::{
-    ConfigureFirewallStep, ConfigureSecurityUpdatesStep, ConfigureTrackerFirewallStep,
-    WaitForCloudInitStep,
-};
+pub use system::{ConfigureFirewallStep, ConfigureSecurityUpdatesStep, WaitForCloudInitStep};
 pub use validation::{
     ValidateCloudInitCompletionStep, ValidateDockerComposeInstallationStep,
     ValidateDockerInstallationStep,

src/application/steps/system/configure_tracker_firewall.rs

@@ -7,8 +7,11 @@
  * Current steps:
  * - Cloud-init completion waiting
  * - Automatic security updates configuration
- * - UFW firewall configuration
- * - Tracker firewall configuration
+ * - UFW firewall configuration (SSH access only)
+ *
+ * Note: Tracker service ports are controlled via Docker port bindings in docker-compose,
+ * not through UFW rules. Docker bypasses UFW for published container ports.
+ * See ADR: docs/decisions/docker-ufw-firewall-security-strategy.md
  *
  * Future steps may include:
  * - User account setup and management
@@ -18,10 +21,8 @@
 
 pub mod configure_firewall;
 pub mod configure_security_updates;
-pub mod configure_tracker_firewall;
 pub mod wait_cloud_init;
 
 pub use configure_firewall::ConfigureFirewallStep;
 pub use configure_security_updates::ConfigureSecurityUpdatesStep;
-pub use configure_tracker_firewall::ConfigureTrackerFirewallStep;
 pub use wait_cloud_init::WaitForCloudInitStep;

src/application/steps/system/mod.rs

@@ -47,10 +47,8 @@ pub enum ConfigureStep {
     InstallDockerCompose,
     /// Configuring automatic security updates
     ConfigureSecurityUpdates,
-    /// Configuring UFW firewall
+    /// Configuring UFW firewall (SSH access only)
     ConfigureFirewall,
-    /// Configuring Tracker firewall rules
-    ConfigureTrackerFirewall,
 }
 
 /// Error state - Application configuration failed

src/domain/environment/state/configure_failed.rs

@@ -306,7 +306,6 @@ impl AnsibleProjectGenerator {
             "wait-cloud-init.yml",
             "configure-security-updates.yml",
             "configure-firewall.yml",
-            "configure-tracker-firewall.yml",
             "create-tracker-storage.yml",
             "init-tracker-database.yml",
             "deploy-tracker-config.yml",

src/infrastructure/templating/ansible/template/renderer/project_generator.rs

@@ -1,11 +1,26 @@
 ---
 # Configure UFW Firewall with Safe SSH Access
+#
+# IMPORTANT SECURITY NOTE:
+# =======================
+# This playbook ONLY configures SSH firewall rules. Application service ports
+# (tracker, grafana, prometheus, etc.) are NOT controlled by UFW because Docker
+# bypasses UFW rules when publishing container ports.
+#
+# Docker Security Model:
+# - Docker manipulates iptables NAT table directly, bypassing UFW's INPUT/OUTPUT chains
+# - Service exposure is controlled via docker-compose port bindings, not UFW
+# - Internal services (MySQL, Prometheus) have NO port bindings - Docker network only
+# - Public services (Tracker, Grafana) have explicit port bindings in docker-compose
+#
+# For details, see ADR: docs/decisions/docker-ufw-firewall-security-strategy.md
+#
 # This playbook configures UFW with restrictive policies while preserving SSH access.
 # CRITICAL: SSH access is allowed BEFORE enabling firewall to prevent lockout.
 #
 # Variables are loaded from variables.yml for centralized management.
 
-- name: Configure UFW firewall safely
+- name: Configure UFW firewall safely (SSH access only)
   hosts: all
   become: yes
   gather_facts: yes