feat: improved firewall tasks

2025-07-11 20:12:55 +02:00 · 2025-07-11 20:12:55 +02:00 · 9d4be2265d
commit 9d4be2265d
parent 89eaee1139
6 changed files with 89 additions and 83 deletions
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@ -0,0 +1,75 @@
+---
+
+# generic settings
+- name: "firewall - set default policy and enable logging"
+  tags: "firewall"
+  block:
+
+    # set vars
+    - name: "set vars"
+      ansible.builtin.set_fact:
+        __firewall_enable: "{{ firewall_enable }}"
+        __firewall_basic_rules: "{{ firewall_basic_rules }}"
+        __firewall_host_rules: "{{ firewall_host_rules }}"
+
+    # manage firewall for debian
+    - name: "firewall - debian family"
+      when: "ansible_os_family == 'Debian'"
+      block:
+
+        # remove and disable firewall
+        - name: "remove and disable firewall"
+          when: "not __firewall_enable"
+          block:
+
+            # stop service
+            - name: "firewall - stop ufw"
+              ansible.builtin.service:
+                name: "ufw"
+                state: "stopped"
+                enabled: false
+
+            # remove package
+            - name: "firewall - remove ufw"
+              ansible.builtin.apt:
+                name: "ufw"
+                state: "absent"
+
+        # install and enable firewall
+        - name: "install and enable firewall"
+          when: "__firewall_enable"
+          block:
+
+            # install ufw
+            - name: "firewall - install ufw"
+              ansible.builtin.apt:
+                name: "ufw"
+                state: "present"
+
+            # generic settings
+            - name: "firewall - generic settings - debian"
+              community.general.ufw:
+                state: "enabled"
+                direction: "incoming"
+                policy: "deny"
+                logging: "on"
+
+            # basic firewall rules
+            - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}"
+              community.general.ufw:
+                rule: "allow"
+                direction: "in"
+                proto: "{{ item.proto | default('tcp') }}"
+                from_ip: "{{ item.from_ip }}"
+                to_port: "{{ item.to_port }}"
+              loop: "{{ __firewall_basic_rules }}"
+
+            # host firewall rules
+            - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}"
+              community.general.ufw:
+                rule: "allow"
+                direction: "in"
+                proto: "{{ item.proto | default('tcp') }}"
+                from_ip: "{{ item.from_ip }}"
+                to_port: "{{ item.to_port }}"
+              loop: "{{ __firewall_host_rules }}"
--- a/tasks/firewall/firewall-general.yaml
+++ b/tasks/firewall/firewall-general.yaml
@ -1,10 +0,0 @@
---
-
-# generic settings
- name: "firewall - set default policy and enable logging"
-  community.general.ufw:
-    state: "enabled"
-    direction: "incoming"
-    policy: "deny"
-    logging: "on"
-  tags: "firewall"
--- a/tasks/firewall/firewall-rules-routed.yaml
+++ b/tasks/firewall/firewall-rules-routed.yaml
@ -1,27 +0,0 @@
---
-
-# basic firewall rules
- name: "basic firewall rules"
-  tags: "firewall"
-  block:
-
-    # basic firewall rules
-    - name: "firewall - allow incoming routed traffic"
-      community.general.ufw:
-        rule: "allow"
-        route: "yes"
-        src: "{{ item[0] }}"
-        dest: "{{ item[1] }}"
-      with_nested:
-        - "{{ __rule['source_nets'] }}"
-        - "{{ __rule['destination_nets'] }}"
-
-    - name: "firewall - allow outgoing routed traffic"
-      community.general.ufw:
-        rule: "allow"
-        route: "yes"
-        src: "{{ item[1] }}"
-        dest: "{{ item[0] }}"
-      with_nested:
-        - "{{ __rule['source_nets'] }}"
-        - "{{ __rule['destination_nets'] }}"
--- a/tasks/firewall/firewall-rules.yaml
+++ b/tasks/firewall/firewall-rules.yaml
@ -1,11 +0,0 @@
---
-
-# create firewall rule
- name: "firewall - allow {{ __rule['to_port'] }} from {{ __rule['from_ip'] }}"
-  community.general.ufw:
-    rule: "allow"
-    direction: "in"
-    proto: "{{ __rule['proto'] | default('tcp') }}"
-    from_ip: "{{ __rule['from_ip'] }}"
-    to_port: "{{ __rule['to_port'] }}"
-  tags: "firewall"
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -183,39 +183,5 @@

 # firewall
 - name: "firewall"
-  ansible.builtin.import_tasks: "firewall/firewall-general.yaml"
-  when: "firewall_enabled"
-  tags: "firewall"
-
-# firewall common rules
- name: "create firewall rules"
-  ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
-  loop: "{{ firewall_rules_common }}"
-  loop_control:
-    loop_var: "__rule"
-  when:
-    - "firewall_rules_common is defined"
-    - "firewall_enabled"
-  tags: "firewall"
-
-# firewall routed rules
- name: "create routed firewall rules"
-  ansible.builtin.include_tasks: "firewall/firewall-rules-routed.yaml"
-  loop: "{{ firewall_rules_routed }}"
-  loop_control:
-    loop_var: "__rule"
-  when:
-    - "firewall_rules_routed is defined"
-    - "firewall_enabled"
-  tags: "firewall"
-
-# firewall host rules
- name: "create firewall rules"
-  ansible.builtin.include_tasks: "firewall/firewall-rules.yaml"
-  loop: "{{ firewall_rules }}"
-  loop_control:
-    loop_var: "__rule"
-  when:
-    - "firewall_rules is defined"
-    - "firewall_enabled"
+  ansible.builtin.import_tasks: "firewall.yaml"
  tags: "firewall"