Simon Cornet
b1a5b11af6
All checks were successful
ci/woodpecker/push/linting Pipeline was successful
67 lines
2.1 KiB
YAML
67 lines
2.1 KiB
YAML
---
|
|
|
|
# generic settings
|
|
- name: "firewall - set default policy and enable logging"
|
|
block:
|
|
|
|
# set vars
|
|
- name: "set vars"
|
|
ansible.builtin.set_fact:
|
|
__firewall_enable: "{{ firewall_enable }}"
|
|
__firewall_all_rules: "{{ firewall_basic_rules | union(firewall_host_rules)}}"
|
|
|
|
# manage firewall for debian
|
|
- name: "firewall - debian family"
|
|
when: "ansible_facts['os_family'] == 'Debian'"
|
|
block:
|
|
|
|
# remove and disable firewall
|
|
- name: "firewall - ufw - remove and disable"
|
|
when: "not __firewall_enable"
|
|
block:
|
|
|
|
# stop service
|
|
- name: "firewall - ufw - stop"
|
|
ansible.builtin.service:
|
|
name: "ufw"
|
|
state: "stopped"
|
|
enabled: false
|
|
ignore_errors: true
|
|
|
|
# remove package
|
|
- name: "firewall - ufw - remove"
|
|
ansible.builtin.apt:
|
|
name: "ufw"
|
|
state: "absent"
|
|
|
|
# install and enable firewall
|
|
- name: "firewall - ufw - install and enable"
|
|
when: "__firewall_enable"
|
|
block:
|
|
|
|
# install ufw
|
|
- name: "firewall - ufw - install"
|
|
ansible.builtin.apt:
|
|
name: "ufw"
|
|
state: "present"
|
|
|
|
# generic settings
|
|
- name: "firewall - ufw - generic settings"
|
|
community.general.ufw:
|
|
state: "enabled"
|
|
direction: "incoming"
|
|
policy: "deny"
|
|
logging: "on"
|
|
|
|
# firewall rules
|
|
- name: "firewall - ufw - add rules"
|
|
community.general.ufw:
|
|
rule: "allow"
|
|
direction: "in"
|
|
proto: "{{ item.proto | default('tcp') }}"
|
|
from_ip: "{{ item.from_ip }}"
|
|
to_port:
|
|
"{{ omit if (item.proto | default('tcp')) in common_firewall_portless_protocols else item.to_port }}"
|
|
loop: "{{ __firewall_all_rules }}"
|
|
loop_control:
|
|
label: " {{ item.name }}"
|