minifirewall: configure proxy/backup/sysctl values
continuous-integration/drone/push Build was killed Details

This commit is contained in:
Jérémy Lecour 2022-03-30 09:42:54 +02:00 committed by Jérémy Lecour
parent 20abe0e09a
commit 31c2629d31
3 changed files with 116 additions and 8 deletions

View File

@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* minifirewall: configure proxy/backup/sysctl values
### Changed
* evocheck: upstream release 22.03.1

View File

@ -47,6 +47,22 @@ minifirewall_smtp_ok: Null
minifirewall_smtp_secure_ok: Null
minifirewall_ntp_ok: Null
minifirewall_proxy: "off"
minifirewall_proxyport: 8888
minifirewall_proxybypass:
- "${INTLAN}"
- "127.0.0.0/8"
- "::1/128"
minifirewall_backupservers: Null
minifirewall_sysctl_icmp_echo_ignore_broadcasts : Null
minifirewall_sysctl_icmp_ignore_bogus_error_responses : Null
minifirewall_sysctl_accept_source_route : Null
minifirewall_sysctl_tcp_syncookies : Null
minifirewall_sysctl_icmp_redirects : Null
minifirewall_sysctl_rp_filter : Null
minifirewall_sysctl_log_martians : Null
minifirewall_autostart: False
minifirewall_restart_if_needed: True
minifirewall_restart_force: False

View File

@ -127,7 +127,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
regexp: "DNSSERVEURS='.*'"
regexp: "DNSSERVEURS=('|\").*('|\")"
create: no
when: minifirewall_dns_servers is not none
@ -135,7 +135,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
regexp: "HTTPSITES='.*'"
regexp: "HTTPSITES=('|\").*('|\")"
create: no
when: minifirewall_http_sites is not none
@ -143,7 +143,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
regexp: "HTTPSSITES='.*'"
regexp: "HTTPSSITES=('|\").*('|\")"
create: no
when: minifirewall_https_sites is not none
@ -151,7 +151,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
regexp: "FTPSITES='.*'"
regexp: "FTPSITES=('|\").*('|\")"
create: no
when: minifirewall_ftp_sites is not none
@ -159,7 +159,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
regexp: "SSHOK='.*'"
regexp: "SSHOK=('|\").*('|\")"
create: no
when: minifirewall_ssh_ok is not none
@ -167,7 +167,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
regexp: "SMTPOK='.*'"
regexp: "SMTPOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_ok is not none
@ -175,7 +175,7 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
regexp: "SMTPSECUREOK='.*'"
regexp: "SMTPSECUREOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_secure_ok is not none
@ -183,10 +183,100 @@
lineinfile:
dest: "/etc/default/minifirewall"
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
regexp: "NTPOK='.*'"
regexp: "NTPOK=('|\").*('|\")"
create: no
when: minifirewall_ntp_ok is not none
- name: Configure PROXY
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXY='{{ minifirewall_proxy }}'"
regexp: "PROXY=('|\").*('|\")"
create: no
when: minifirewall_proxy is not none
- name: Configure PROXYPORT
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXYPORT='{{ minifirewall_proxyport }}'"
regexp: "PROXYPORT=('|\").*('|\")"
create: no
when: minifirewall_proxyport is not none
# Warning: keep double quotes for the value,
# since we often reference a shell variable that needs to be interpolated
- name: Configure PROXYBYPASS
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
regexp: "PROXYBYPASS=('|\").*('|\")"
create: no
when: minifirewall_proxybypass is not none
- name: Configure BACKUPSERVERS
lineinfile:
dest: "/etc/default/minifirewall"
line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
regexp: "BACKUPSERVERS=('|\").*('|\")"
create: no
when: minifirewall_backupservers is not none
- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none
- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none
- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
create: no
when: minifirewall_sysctl_accept_source_route is not none
- name: Configure SYSCTL_TCP_SYNCOOKIES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_tcp_syncookies is not none
- name: Configure SYSCTL_ICMP_REDIRECTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_redirects is not none
- name: Configure SYSCTL_RP_FILTER
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
create: no
when: minifirewall_sysctl_rp_filter is not none
- name: Configure SYSCTL_LOG_MARTIANS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_log_martians is not none
- name: Stat minifirewall config file (after)
stat:
path: "/etc/default/minifirewall"