76 lines
2.2 KiB
YAML
76 lines
2.2 KiB
YAML
---
|
|
|
|
# generic settings
|
|
- name: "firewall - set default policy and enable logging"
|
|
tags: "firewall"
|
|
block:
|
|
|
|
# set vars
|
|
- name: "set vars"
|
|
ansible.builtin.set_fact:
|
|
firewall_host_rules: []
|
|
__firewall_enable: "{{ firewall_enable }}"
|
|
__firewall_all_rules: "{{ firewall_basic_rules | union(firewall_host_rules)}}"
|
|
|
|
- name: "debug"
|
|
ansible.builtin.debug:
|
|
msg: "outside {{ firewall_enable }}"
|
|
|
|
- name: "debug"
|
|
ansible.builtin.debug:
|
|
msg: "inside {{ __firewall_enable }}"
|
|
|
|
# manage firewall for debian
|
|
- name: "firewall - debian family"
|
|
when: "ansible_os_family == 'Debian'"
|
|
block:
|
|
|
|
# remove and disable firewall
|
|
- name: "remove and disable firewall"
|
|
when: '__firewall_enable == "false"'
|
|
block:
|
|
|
|
# stop service
|
|
- name: "firewall - stop ufw"
|
|
ansible.builtin.service:
|
|
name: "ufw"
|
|
state: "stopped"
|
|
enabled: false
|
|
ignore_errors: true
|
|
|
|
# remove package
|
|
- name: "firewall - remove ufw"
|
|
ansible.builtin.apt:
|
|
name: "ufw"
|
|
state: "absent"
|
|
|
|
# install and enable firewall
|
|
- name: "install and enable firewall"
|
|
when: '__firewall_enable == "true"'
|
|
block:
|
|
|
|
# install ufw
|
|
- name: "firewall - install ufw"
|
|
ansible.builtin.apt:
|
|
name: "ufw"
|
|
state: "present"
|
|
|
|
# generic settings
|
|
- name: "firewall - generic settings - debian"
|
|
community.general.ufw:
|
|
state: "enabled"
|
|
direction: "incoming"
|
|
policy: "deny"
|
|
logging: "on"
|
|
|
|
# firewall rules
|
|
- name: "firewall - add rules"
|
|
community.general.ufw:
|
|
rule: "allow"
|
|
direction: "in"
|
|
proto: "{{ item.proto | default('tcp') }}"
|
|
from_ip: "{{ item.from_ip }}"
|
|
to_port: "{{ item.to_port }}"
|
|
loop: "{{ __firewall_all_rules }}"
|
|
loop_control:
|
|
label: " {{ item.name }}"
|