✨ add firewall support
This commit is contained in:
parent
fbe178d800
commit
fc8f12a761
74
playbook.yml
74
playbook.yml
|
@ -1,46 +1,50 @@
|
|||
---
|
||||
# - hosts: jake
|
||||
# handlers:
|
||||
# vars:
|
||||
# restic_repo_pw: "{{ vault_restic_pw_jake }}"
|
||||
# restic_repo_url: "{{ vault_restic_url_jake }}"
|
||||
# restic_backup_pre_cmd:
|
||||
# - (cd "/tmp" && forgejo.sh dump --file="forgejo.zip")
|
||||
# restic_backup_targets:
|
||||
# - /tmp/forgejo.zip
|
||||
# sendmail_mta_user: "{{ vault_mta_user }}"
|
||||
# sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
|
||||
# sendmail_mailhub: "box.nilsnh.no:465"
|
||||
# sendmail_hostname: jake.box.nilsnh.no
|
||||
# sendmail_rewrite_domain: "nilsnh.no"
|
||||
# sendmail_revaliases:
|
||||
# root: "{{ machine_from_email }}"
|
||||
# jake: "{{ machine_from_email }}"
|
||||
# git: "{{ machine_from_email }}"
|
||||
# machine_from_email: "noreply+jake@nilsnh.no"
|
||||
# machine_notifications_receiver: "mail@nilsnh.no"
|
||||
# forgejo_domain: "code.on.nilsnh.no"
|
||||
# forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
|
||||
# roles:
|
||||
# - backup
|
||||
# # - sendmail
|
||||
# # - forgejo
|
||||
# # - caddy
|
||||
|
||||
- hosts: this_machine
|
||||
- hosts: jake
|
||||
handlers:
|
||||
vars:
|
||||
restic_repo_pw: "{{ vault_restic_pw_mrmittens }}"
|
||||
restic_repo_url: "{{ vault_restic_url_mrmittens }}"
|
||||
restic_repo_pw: "{{ vault_restic_pw_jake }}"
|
||||
restic_repo_url: "{{ vault_restic_url_jake }}"
|
||||
restic_backup_pre_cmd:
|
||||
- (cd "/tmp" && forgejo.sh dump --file="forgejo.zip")
|
||||
restic_backup_targets:
|
||||
- /tmp/forgejo.zip
|
||||
sendmail_mta_user: "{{ vault_mta_user }}"
|
||||
sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
|
||||
sendmail_mailhub: "box.nilsnh.no:465"
|
||||
sendmail_hostname: mr-mittens.box.nilsnh.no
|
||||
sendmail_hostname: jake.box.nilsnh.no
|
||||
sendmail_rewrite_domain: "nilsnh.no"
|
||||
sendmail_revaliases:
|
||||
root: "{{ machine_from_email }}"
|
||||
machine_from_email: "noreply+mr-mittens@nilsnh.no"
|
||||
machine_notifications_receiver: "mail@nilsnh.no"
|
||||
jake: "{{ machine_from_email }}"
|
||||
git: "{{ machine_from_email }}"
|
||||
machine_from_email: "noreply+jake@nilsnh.no"
|
||||
machine_notifications_receiver: "mail@nilsnh.no"
|
||||
forgejo_domain: "code.on.nilsnh.no"
|
||||
forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
|
||||
firewall_allowed_ports:
|
||||
- { port: 80, proto: "tcp" }
|
||||
- { port: 443, proto: "tcp" }
|
||||
roles:
|
||||
- sendmail
|
||||
- backup
|
||||
- sendmail
|
||||
- firewall
|
||||
- forgejo
|
||||
- caddy
|
||||
|
||||
# - hosts: this_machine
|
||||
# handlers:
|
||||
# vars:
|
||||
# restic_repo_pw: "{{ vault_restic_pw_mrmittens }}"
|
||||
# restic_repo_url: "{{ vault_restic_url_mrmittens }}"
|
||||
# sendmail_mta_user: "{{ vault_mta_user }}"
|
||||
# sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
|
||||
# sendmail_mailhub: "box.nilsnh.no:465"
|
||||
# sendmail_hostname: mr-mittens.box.nilsnh.no
|
||||
# sendmail_rewrite_domain: "nilsnh.no"
|
||||
# sendmail_revaliases:
|
||||
# root: "{{ machine_from_email }}"
|
||||
# machine_from_email: "noreply+mr-mittens@nilsnh.no"
|
||||
# machine_notifications_receiver: "mail@nilsnh.no"
|
||||
# roles:
|
||||
# - sendmail
|
||||
# - backup
|
||||
|
|
2
roles/firewall/tasks/default/main.yml
Normal file
2
roles/firewall/tasks/default/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
|
||||
firewall_allowed_ports: []
|
|
@ -1,6 +1,24 @@
|
|||
- name: install firewall
|
||||
become: yes
|
||||
- name: install UFW, uncomplicated firewall
|
||||
package:
|
||||
name:
|
||||
- ufw
|
||||
state: latest
|
||||
state: present
|
||||
|
||||
- name: enable UFW across reboots
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
default: deny
|
||||
|
||||
- name: open SSH port, but limit it.
|
||||
community.general.ufw:
|
||||
rule: limit
|
||||
port: ssh
|
||||
proto: tcp
|
||||
|
||||
- name: open other firewall ports
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "{{ item.port|string }}"
|
||||
proto: "{{ item.proto }}"
|
||||
loop: "{{ firewall_allowed_ports }}"
|
||||
|
||||
|
|
Loading…
Reference in a new issue