add ndoe_firewall param placeholder in vibe.yml config

Author: Vonng

conf/ha/simu.yml

@@ -342,8 +342,8 @@ all:
         retention_full_type: time     # retention full backup by time on minio repo
         retention_full: 14            # keep full backup for last 14 days
     pg_crontab:  # make a full backup on monday 1am, and an incremental backup during weekdays
-      - '00 01  * * 1 /pg/bin/pg-backup'
-      - '00 05 * * *  /pg/bin/pg-vaccum'
+      - '00 01  * * * /pg/bin/pg-backup'
+      - '00 05 * * *  /pg/bin/pg-vacuum'
     pg_hba_rules:   # https://pigsty.io/docs/pgsql/config/hba
       - { user: all ,db: all ,addr: intra ,auth: pwd ,title: 'everyone intranet access with password' ,order: 800 }
 

conf/vibe.yml

@@ -3,7 +3,7 @@
 # File      :   vibe.yml
 # Desc      :   Pigsty ai vibe coding sandbox
 # Ctime     :   2026-01-19
-# Mtime     :   2026-01-27
+# Mtime     :   2026-01-30
 # Docs      :   https://pigsty.io/docs/conf/vibe
 # License   :   Apache-2.0 @ https://pigsty.io/docs/about/license/
 # Copyright :   2018-2026  Ruohang Feng / Vonng (rh@vonng.com)
@@ -41,10 +41,10 @@ all:
     region: default                     # upstream mirror region: default,china,europe
     infra_portal:                       # infra services exposed via portal
       home : { domain: i.pigsty }       # default domain name
-    dns_enabled: false                # disable dns service
+    dns_enabled: false                  # disable dns service
     vtrace_enabled: false               # enable vtrace extension
-    #blackbox_enabled: false             # disable blackbox exporter
-    #alertmanager_enabled: false         # disable alertmanager
+    #blackbox_enabled: false            # disable blackbox exporter
+    #alertmanager_enabled: false        # disable alertmanager
     infra_extra_services:               # home page navigation entries
       - { name: Code Server  ,url: '/code'             ,desc: 'VS Code Server'       ,icon: 'code'     }
       - { name: Jupyter      ,url: '/jupyter'          ,desc: 'Jupyter Notebook'     ,icon: 'jupyter'  }
@@ -59,6 +59,8 @@ all:
     node_repo_modules: node,infra,pgsql # add these repos directly to the singleton node
     node_packages: [ openssh-server, juicefs, restic, rclone, uv, opencode, claude, code-server, golang, asciinema, genai-toolbox, postgrest ]
     docker_enabled: true                # enable docker service
+    node_firewall_mode: none            # change to 'zone' to enable firewall
+    node_firewall_public_port: [22, 80, 443, 5432]    # add custom public ports
     #docker_registry_mirrors: ["https://docker.1panel.live","https://docker.1ms.run","https://docker.xuanyuan.me","https://registry-1.docker.io"]
 
     #----------------------------------------------#

roles/node/README.md

@@ -124,9 +124,9 @@ node (full role)
 
 ### Security
 
-| Variable             | Default | Description                                     |
-|----------------------|---------|-------------------------------------------------|
-| `node_selinux_mode`  | `enum`  | set selinux mode: enforcing,permissive,disabled |
+| Variable             | Default | Description                                                       |
+|----------------------|---------|-------------------------------------------------------------------|
+| `node_selinux_mode`  | `enum`  | set selinux mode: enforcing,permissive,disabled                   |
 | `node_firewall_mode` | `enum`  | firewall mode: none (skip), off (disable), zone (enable & config) |
 
 
@@ -230,6 +230,7 @@ For production environments, review and adjust the following:
 ```yaml
 node_admin_sudo: limit              # Limited sudo commands without password
 node_selinux_mode: enforcing        # Full SELinux enforcement
+node_firewall_mode: zone            # trust intranet, expose 22 80 443 only
 node_firewall_public_port: [22, 80, 443]  # Remove 5432 from public
 vip_auth_pass: '<strong-secret>'    # Explicit VRRP authentication
 ```
@@ -239,6 +240,21 @@ for cluster operations. This is necessary for ansible but allows potential MITM
 Ensure your network is trusted or use a bastion host.
 
 
+## Firewall Management
+
+Enable firewall with `node_firewall_mode: zone`, then apply: `./node.yml -l <target> -t node_firewall`
+
+> **Note**: Firewall rules are **additive only**. To remove rules, use manual commands:
+
+```bash
+# RHEL/Rocky (firewalld)
+firewall-cmd --zone=public --remove-port=5432/tcp && firewall-cmd --runtime-to-permanent
+
+# Debian/Ubuntu (ufw)
+ufw delete allow 5432/tcp
+```
+
+
 ## See Also
 
 - [`node_id`](../node_id): Node identity derivation