diff --git a/defaults/main.yaml b/defaults/main.yaml index 7dd1440..a1b6cda 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -13,6 +13,19 @@ apt_repository: "https://archive.ubuntu.com/ubuntu" apt_repository_main: "https://archive.ubuntu.com/ubuntu" apt_repository_security: "https://archive.ubuntu.com/ubuntu" +# firewall +firewall_enable: true +firewall_basic_rules: + - name: "anti-lockout rule" + from_ip: "any" + to_port: "22" + proto: "tcp" +firewall_host_rules: + - name: "anti-lockout rule" + from_ip: "any" + to_port: "22" + proto: "tcp" + # ntp ntp_server: "pool.ntp.org" timezone: "Europe/Amsterdam" diff --git a/tasks/firewall.yaml b/tasks/firewall.yaml new file mode 100644 index 0000000..85c509e --- /dev/null +++ b/tasks/firewall.yaml @@ -0,0 +1,75 @@ +--- + +# generic settings +- name: "firewall - set default policy and enable logging" + tags: "firewall" + block: + + # set vars + - name: "set vars" + ansible.builtin.set_fact: + __firewall_enable: "{{ firewall_enable }}" + __firewall_basic_rules: "{{ firewall_basic_rules }}" + __firewall_host_rules: "{{ firewall_host_rules }}" + + # manage firewall for debian + - name: "firewall - debian family" + when: "ansible_os_family == 'Debian'" + block: + + # remove and disable firewall + - name: "remove and disable firewall" + when: "not __firewall_enable" + block: + + # stop service + - name: "firewall - stop ufw" + ansible.builtin.service: + name: "ufw" + state: "stopped" + enabled: false + + # remove package + - name: "firewall - remove ufw" + ansible.builtin.apt: + name: "ufw" + state: "absent" + + # install and enable firewall + - name: "install and enable firewall" + when: "__firewall_enable" + block: + + # install ufw + - name: "firewall - install ufw" + ansible.builtin.apt: + name: "ufw" + state: "present" + + # generic settings + - name: "firewall - generic settings - debian" + community.general.ufw: + state: "enabled" + direction: "incoming" + policy: "deny" + logging: "on" + + # basic firewall rules + - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}" + community.general.ufw: + rule: "allow" + direction: "in" + proto: "{{ item.proto | default('tcp') }}" + from_ip: "{{ item.from_ip }}" + to_port: "{{ item.to_port }}" + loop: "{{ __firewall_basic_rules }}" + + # host firewall rules + - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}" + community.general.ufw: + rule: "allow" + direction: "in" + proto: "{{ item.proto | default('tcp') }}" + from_ip: "{{ item.from_ip }}" + to_port: "{{ item.to_port }}" + loop: "{{ __firewall_host_rules }}" diff --git a/tasks/firewall/firewall-general.yaml b/tasks/firewall/firewall-general.yaml deleted file mode 100644 index 4c8899a..0000000 --- a/tasks/firewall/firewall-general.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -# generic settings -- name: "firewall - set default policy and enable logging" - community.general.ufw: - state: "enabled" - direction: "incoming" - policy: "deny" - logging: "on" - tags: "firewall" diff --git a/tasks/firewall/firewall-rules-routed.yaml b/tasks/firewall/firewall-rules-routed.yaml deleted file mode 100644 index 7e10a46..0000000 --- a/tasks/firewall/firewall-rules-routed.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -# basic firewall rules -- name: "basic firewall rules" - tags: "firewall" - block: - - # basic firewall rules - - name: "firewall - allow incoming routed traffic" - community.general.ufw: - rule: "allow" - route: "yes" - src: "{{ item[0] }}" - dest: "{{ item[1] }}" - with_nested: - - "{{ __rule['source_nets'] }}" - - "{{ __rule['destination_nets'] }}" - - - name: "firewall - allow outgoing routed traffic" - community.general.ufw: - rule: "allow" - route: "yes" - src: "{{ item[1] }}" - dest: "{{ item[0] }}" - with_nested: - - "{{ __rule['source_nets'] }}" - - "{{ __rule['destination_nets'] }}" diff --git a/tasks/firewall/firewall-rules.yaml b/tasks/firewall/firewall-rules.yaml deleted file mode 100644 index c0e2d22..0000000 --- a/tasks/firewall/firewall-rules.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -# create firewall rule -- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}" - community.general.ufw: - rule: "allow" - direction: "in" - proto: "{{ __rule['proto'] | default('tcp') }}" - from_ip: "{{ __rule['from_ip'] }}" - to_port: "{{ __rule['to_port'] }}" - tags: "firewall" diff --git a/tasks/main.yaml b/tasks/main.yaml index 0f9091c..72ddc3f 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -183,39 +183,5 @@ # firewall - name: "firewall" - ansible.builtin.import_tasks: "firewall/firewall-general.yaml" - when: "firewall_enabled" - tags: "firewall" - -# firewall common rules -- name: "create firewall rules" - ansible.builtin.include_tasks: "firewall/firewall-rules.yaml" - loop: "{{ firewall_rules_common }}" - loop_control: - loop_var: "__rule" - when: - - "firewall_rules_common is defined" - - "firewall_enabled" - tags: "firewall" - -# firewall routed rules -- name: "create routed firewall rules" - ansible.builtin.include_tasks: "firewall/firewall-rules-routed.yaml" - loop: "{{ firewall_rules_routed }}" - loop_control: - loop_var: "__rule" - when: - - "firewall_rules_routed is defined" - - "firewall_enabled" - tags: "firewall" - -# firewall host rules -- name: "create firewall rules" - ansible.builtin.include_tasks: "firewall/firewall-rules.yaml" - loop: "{{ firewall_rules }}" - loop_control: - loop_var: "__rule" - when: - - "firewall_rules is defined" - - "firewall_enabled" + ansible.builtin.import_tasks: "firewall.yaml" tags: "firewall"