2022-04-28 12:40:02 +02:00
---
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2022-04-28 12:40:02 +02:00
var : minifirewall_trusted_ips
verbosity : 1
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2022-04-28 12:40:02 +02:00
var : minifirewall_privilegied_ips
verbosity : 1
- name : Stat minifirewall config file (before)
2023-03-20 23:33:19 +01:00
ansible.builtin.stat :
2022-04-28 12:40:02 +02:00
path : "{{ minifirewall_main_file }}"
register : minifirewall_before
- name : Check if minifirewall is running
2023-03-20 23:33:19 +01:00
ansible.builtin.shell :
cmd : /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
2022-04-28 12:40:02 +02:00
changed_when : False
failed_when : False
check_mode : no
register : minifirewall_is_running
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2022-04-28 12:40:02 +02:00
var : minifirewall_is_running
verbosity : 1
- name : Begin marker for IP addresses
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore : '^# Main interface'
create : no
- name : End marker for IP addresses
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
create : no
line : "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter : '^PRIVILEGIEDIPS='
- name : Verify that at least 1 trusted IP is provided
2023-03-20 23:33:19 +01:00
ansible.builtin.assert :
2022-04-28 12:40:02 +02:00
that : minifirewall_trusted_ips | length > 0
msg : You must provide at least 1 trusted IP
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2022-04-28 12:40:02 +02:00
msg : "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
when : minifirewall_trusted_ips == ["0.0.0.0/0"]
- name : Configure IP addresses
2023-03-20 23:33:19 +01:00
ansible.builtin.blockinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
marker : "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
block : |
# Main interface
INT='{{ minifirewall_int }}'
# IPv6
IPV6='{{ minifirewall_ipv6 }}'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='{{ minifirewall_docker }}'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='{{ minifirewall_intlan }}'
# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
create : no
register : minifirewall_config_ips
- name : Begin marker for ports
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore : '^# Protected services'
create : no
- name : End marker for ports
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter : '^SERVICESUDP3='
create : no
- name : Configure ports
2023-03-20 23:33:19 +01:00
ansible.builtin.blockinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
marker : "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
block : |
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
# Public services (IPv4/IPv6)
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
# Semi-public services (IPv4)
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
# Private services (IPv4)
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
create : no
register : minifirewall_config_ports
- name : Configure DNSSERVEURS
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
regexp : "DNSSERVEURS='.*'"
create : no
when : minifirewall_dns_servers is not none
- name : Configure HTTPSITES
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
regexp : "HTTPSITES='.*'"
create : no
when : minifirewall_http_sites is not none
- name : Configure HTTPSSITES
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
regexp : "HTTPSSITES='.*'"
create : no
when : minifirewall_https_sites is not none
- name : Configure FTPSITES
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
regexp : "FTPSITES='.*'"
create : no
when : minifirewall_ftp_sites is not none
- name : Configure SSHOK
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
regexp : "SSHOK='.*'"
create : no
when : minifirewall_ssh_ok is not none
- name : Configure SMTPOK
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
regexp : "SMTPOK='.*'"
create : no
when : minifirewall_smtp_ok is not none
- name : Configure SMTPSECUREOK
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
regexp : "SMTPSECUREOK='.*'"
create : no
when : minifirewall_smtp_secure_ok is not none
- name : Configure NTPOK
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
regexp : "NTPOK='.*'"
create : no
when : minifirewall_ntp_ok is not none
- name : evomaintenance
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
line : "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
insertafter : "^# EvoMaintenance"
loop : "{{ evomaintenance_hosts }}"
- name : remove minifirewall example rule for the evomaintenance
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-04-28 12:40:02 +02:00
dest : "{{ minifirewall_main_file }}"
regexp : '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
state : absent
when : evomaintenance_hosts | length > 0
- name : Stat minifirewall config file (after)
2023-03-20 23:33:19 +01:00
ansible.builtin.stat :
2022-04-28 12:40:02 +02:00
path : "{{ minifirewall_main_file }}"
register : minifirewall_after
2022-09-09 16:09:45 +02:00
- name : Schedule minifirewall restart (legacy)
2023-03-20 23:33:19 +01:00
ansible.builtin.command :
cmd : /bin/true
2022-09-09 16:09:45 +02:00
notify : "restart minifirewall (legacy)"
2022-04-28 12:40:02 +02:00
when :
2022-09-09 16:09:45 +02:00
- minifirewall_install_mode == 'legacy'
2022-04-28 12:40:02 +02:00
- minifirewall_restart_if_needed | bool
- minifirewall_is_running.rc == 0
2022-09-09 16:09:45 +02:00
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
2022-04-28 12:40:02 +02:00
2023-03-20 23:33:19 +01:00
- ansible.builtin.debug :
2022-04-28 12:40:02 +02:00
var : minifirewall_init_restart
verbosity : 2