feat: move to dedicated repo

2024-11-22 11:13:16 +01:00 · 2024-11-22 11:13:16 +01:00 · 4a88a5b28d
commit 4a88a5b28d
54 changed files with 1524 additions and 0 deletions
--- a/tasks/firewall/firewall-general.yaml
+++ b/tasks/firewall/firewall-general.yaml
@ -0,0 +1,11 @@
+---
+
+# generic settings
+- name: "firewall - set default policy and enable logging"
+  community.general.ufw:
+    state: "enabled"
+    direction: "incoming"
+    policy: "deny"
+    logging: "on"
+  tags:
+    - "firewall"
--- a/tasks/firewall/firewall-rules-routed.yaml
+++ b/tasks/firewall/firewall-rules-routed.yaml
@ -0,0 +1,26 @@
+---
+
+# basic firewall rules
+- name: "firewall - allow incoming routed traffic"
+  community.general.ufw:
+    rule: "allow"
+    route: "yes"
+    src: "{{ item[0] }}"
+    dest: "{{ item[1] }}"
+  with_nested:
+    - "{{ __rule['source_nets'] }}"
+    - "{{ __rule['destination_nets'] }}"
+  tags:
+    - "firewall"
+
+- name: "firewall - allow outgoing routed traffic"
+  community.general.ufw:
+    rule: "allow"
+    route: "yes"
+    src: "{{ item[1] }}"
+    dest: "{{ item[0] }}"
+  with_nested:
+    - "{{ __rule['source_nets'] }}"
+    - "{{ __rule['destination_nets'] }}"
+  tags:
+    - "firewall"
--- a/tasks/firewall/firewall-rules.yaml
+++ b/tasks/firewall/firewall-rules.yaml
@ -0,0 +1,12 @@
+---
+
+# create firewall rule
+- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}"
+  community.general.ufw:
+    rule: "allow"
+    direction: "in"
+    proto: "{{ __rule['proto'] | default('tcp') }}"
+    from_ip: "{{ __rule['from_ip'] }}"
+    to_port: "{{ __rule['to_port'] }}"
+  tags:
+    - "firewall"