feat: improved firewall tasks

2025-07-11 20:12:55 +02:00 · 2025-07-11 20:12:55 +02:00 · 9d4be2265d
commit 9d4be2265d
parent 89eaee1139
6 changed files with 89 additions and 83 deletions
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@ -0,0 +1,75 @@
+---
+
+# generic settings
+- name: "firewall - set default policy and enable logging"
+  tags: "firewall"
+  block:
+
+    # set vars
+    - name: "set vars"
+      ansible.builtin.set_fact:
+        __firewall_enable: "{{ firewall_enable }}"
+        __firewall_basic_rules: "{{ firewall_basic_rules }}"
+        __firewall_host_rules: "{{ firewall_host_rules }}"
+
+    # manage firewall for debian
+    - name: "firewall - debian family"
+      when: "ansible_os_family == 'Debian'"
+      block:
+
+        # remove and disable firewall
+        - name: "remove and disable firewall"
+          when: "not __firewall_enable"
+          block:
+
+            # stop service
+            - name: "firewall - stop ufw"
+              ansible.builtin.service:
+                name: "ufw"
+                state: "stopped"
+                enabled: false
+
+            # remove package
+            - name: "firewall - remove ufw"
+              ansible.builtin.apt:
+                name: "ufw"
+                state: "absent"
+
+        # install and enable firewall
+        - name: "install and enable firewall"
+          when: "__firewall_enable"
+          block:
+
+            # install ufw
+            - name: "firewall - install ufw"
+              ansible.builtin.apt:
+                name: "ufw"
+                state: "present"
+
+            # generic settings
+            - name: "firewall - generic settings - debian"
+              community.general.ufw:
+                state: "enabled"
+                direction: "incoming"
+                policy: "deny"
+                logging: "on"
+
+            # basic firewall rules
+            - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}"
+              community.general.ufw:
+                rule: "allow"
+                direction: "in"
+                proto: "{{ item.proto | default('tcp') }}"
+                from_ip: "{{ item.from_ip }}"
+                to_port: "{{ item.to_port }}"
+              loop: "{{ __firewall_basic_rules }}"
+
+            # host firewall rules
+            - name: "firewall - allow {{ item.proto | default(tcp) }}/{{ item.to_port }} from {{ item.from_ip }}"
+              community.general.ufw:
+                rule: "allow"
+                direction: "in"
+                proto: "{{ item.proto | default('tcp') }}"
+                from_ip: "{{ item.from_ip }}"
+                to_port: "{{ item.to_port }}"
+              loop: "{{ __firewall_host_rules }}"