✨ add firewall support

2024-02-17 11:42:10 +01:00 · 2024-02-17 11:42:10 +01:00 · fc8f12a761
parent fbe178d800
commit fc8f12a761
3 changed files with 62 additions and 38 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -1,46 +1,50 @@
 ---
-# - hosts: jake
-#   handlers:
-#   vars:
-#     restic_repo_pw: "{{ vault_restic_pw_jake }}"
-#     restic_repo_url: "{{ vault_restic_url_jake }}"
-#     restic_backup_pre_cmd:
-#       - (cd "/tmp" && forgejo.sh dump --file="forgejo.zip")
-#     restic_backup_targets:
-#       - /tmp/forgejo.zip
-#     sendmail_mta_user: "{{ vault_mta_user }}" 
-#     sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
-#     sendmail_mailhub: "box.nilsnh.no:465"
-#     sendmail_hostname: jake.box.nilsnh.no
-#     sendmail_rewrite_domain: "nilsnh.no"
-#     sendmail_revaliases:
-#       root: "{{ machine_from_email }}"
-#       jake: "{{ machine_from_email }}"
-#       git: "{{ machine_from_email }}"
-#     machine_from_email: "noreply+jake@nilsnh.no"
-#     machine_notifications_receiver: "mail@nilsnh.no"
-#     forgejo_domain: "code.on.nilsnh.no"
-#     forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
-#   roles:
-#     - backup
-#     # - sendmail
-#     # - forgejo
-#     # - caddy
-
- hosts: this_machine
+- hosts: jake
  handlers:
  vars:
-    restic_repo_pw: "{{ vault_restic_pw_mrmittens }}"
-    restic_repo_url: "{{ vault_restic_url_mrmittens }}"
+    restic_repo_pw: "{{ vault_restic_pw_jake }}"
+    restic_repo_url: "{{ vault_restic_url_jake }}"
+    restic_backup_pre_cmd:
+      - (cd "/tmp" && forgejo.sh dump --file="forgejo.zip")
+    restic_backup_targets:
+      - /tmp/forgejo.zip
    sendmail_mta_user: "{{ vault_mta_user }}" 
    sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
    sendmail_mailhub: "box.nilsnh.no:465"
-    sendmail_hostname: mr-mittens.box.nilsnh.no
+    sendmail_hostname: jake.box.nilsnh.no
    sendmail_rewrite_domain: "nilsnh.no"
    sendmail_revaliases:
      root: "{{ machine_from_email }}"
-    machine_from_email: "noreply+mr-mittens@nilsnh.no"
-    machine_notifications_receiver: "mail@nilsnh.no" 
+      jake: "{{ machine_from_email }}"
+      git: "{{ machine_from_email }}"
+    machine_from_email: "noreply+jake@nilsnh.no"
+    machine_notifications_receiver: "mail@nilsnh.no"
+    forgejo_domain: "code.on.nilsnh.no"
+    forgejo_from: "\"Forgejo at nilsnh.no\" <{{ machine_from_email }}>"
+    firewall_allowed_ports:
+      - { port: 80, proto: "tcp" }
+      - { port: 443, proto: "tcp" }
  roles:
-    - sendmail
    - backup
+    - sendmail
+    - firewall
+    - forgejo
+    - caddy
+
+# - hosts: this_machine
+#   handlers:
+#   vars:
+#     restic_repo_pw: "{{ vault_restic_pw_mrmittens }}"
+#     restic_repo_url: "{{ vault_restic_url_mrmittens }}"
+#     sendmail_mta_user: "{{ vault_mta_user }}" 
+#     sendmail_mta_user_pw: "{{ vault_mta_user_pw }}"
+#     sendmail_mailhub: "box.nilsnh.no:465"
+#     sendmail_hostname: mr-mittens.box.nilsnh.no
+#     sendmail_rewrite_domain: "nilsnh.no"
+#     sendmail_revaliases:
+#       root: "{{ machine_from_email }}"
+#     machine_from_email: "noreply+mr-mittens@nilsnh.no"
+#     machine_notifications_receiver: "mail@nilsnh.no" 
+#   roles:
+#     - sendmail
+#     - backup
--- a/roles/firewall/tasks/default/main.yml
+++ b/roles/firewall/tasks/default/main.yml
@ -0,0 +1,2 @@
+
+firewall_allowed_ports: []
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -1,6 +1,24 @@
- name: install firewall
-  become: yes
+- name: install UFW, uncomplicated firewall
  package:
    name:
      - ufw
-    state: latest
+    state: present
+
+- name: enable UFW across reboots
+  community.general.ufw:
+    state: enabled
+    default: deny
+
+- name: open SSH port, but limit it.
+  community.general.ufw:
+    rule: limit
+    port: ssh
+    proto: tcp
+
+- name: open other firewall ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port|string }}"
+    proto: "{{ item.proto }}"
+  loop: "{{ firewall_allowed_ports }}"
+