Minifirewall: extend configuration abilities with blocks
This commit is contained in:
parent
7634830bbc
commit
9570efcaed
|
@ -1,6 +1,6 @@
|
|||
# minifirewall
|
||||
|
||||
Install minifirewall a simple and versatile local firewall.
|
||||
Installation of minifirewall a simple and versatile local firewall.
|
||||
|
||||
The firewall is not started by default, but an init script is installed.
|
||||
|
||||
|
@ -16,4 +16,6 @@ Everything is in the `tasks/main.yml` file.
|
|||
* `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
|
||||
* `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
|
||||
|
||||
Some IP/hosts must be configured or the server will be inaccessible via network.
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
**Some IP/hosts must be configured or the server will be inaccessible via network.**
|
||||
|
|
|
@ -6,3 +6,12 @@ minifirewall_ipv6: "on"
|
|||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||
minifirewall_trusted_ips: []
|
||||
minifirewall_privilegied_ips: []
|
||||
|
||||
minifirewall_protected_ports_tcp: [22]
|
||||
minifirewall_protected_ports_udp: []
|
||||
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
|
||||
minifirewall_public_ports_udp: [53]
|
||||
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
|
||||
minifirewall_semipublic_ports_udp: []
|
||||
minifirewall_private_ports_tcp: [5666]
|
||||
minifirewall_private_ports_udp: []
|
||||
|
|
57
minifirewall/tasks/config.yml
Normal file
57
minifirewall/tasks/config.yml
Normal file
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
|
||||
- name: Begin marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertbefore: '^# Main interface'
|
||||
|
||||
- name: End marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertafter: '^PRIVILEGIEDIPS='
|
||||
|
||||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
content: |
|
||||
INT='{{ minifirewall_int }}'
|
||||
IPV6='{{ minifirewall_ipv6 }}'
|
||||
INTLAN='{{ minifirewall_intlan }}'
|
||||
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
||||
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
||||
|
||||
|
||||
- name: Begin marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertbefore: '^# Protected services'
|
||||
|
||||
- name: End marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertafter: '^SERVICESUDP3='
|
||||
|
||||
- name: Configure ports
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
content: |
|
||||
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
||||
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
||||
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
||||
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
||||
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
||||
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
||||
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
||||
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
29
minifirewall/tasks/install.yml
Normal file
29
minifirewall/tasks/install.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
|
||||
- name: clone git repository
|
||||
git:
|
||||
repo: "{{ minifirewall_git_url}}"
|
||||
dest: "{{ minifirewall_checkout_path }}"
|
||||
clone: yes
|
||||
|
||||
# WARN: these tasks copy the file if there are not already there
|
||||
# They don't update files.
|
||||
|
||||
- name: is init script present?
|
||||
stat:
|
||||
path: /etc/init.d/minifirewall
|
||||
register: init_minifirewall
|
||||
|
||||
- name: init script is copied
|
||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
|
||||
when: not init_minifirewall.stat.exists
|
||||
|
||||
|
||||
- name: is configuration present?
|
||||
stat:
|
||||
path: /etc/default/minifirewall
|
||||
register: default_minifirewall
|
||||
|
||||
- name: configuration is copied
|
||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
|
||||
when: not default_minifirewall.stat.exists
|
|
@ -1,42 +1,5 @@
|
|||
---
|
||||
|
||||
- name: clone git repository
|
||||
git:
|
||||
repo: "{{ minifirewall_git_url}}"
|
||||
dest: "{{ minifirewall_checkout_path }}"
|
||||
clone: yes
|
||||
- include: install.yml
|
||||
|
||||
# WARN: these tasks copy the file if there are not already there
|
||||
# They don't update files.
|
||||
|
||||
- name: is init script present?
|
||||
stat:
|
||||
path: /etc/init.d/minifirewall
|
||||
register: init_minifirewall
|
||||
|
||||
- name: init script is copied
|
||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
|
||||
when: not init_minifirewall.stat.exists
|
||||
|
||||
|
||||
- name: is configuration present?
|
||||
stat:
|
||||
path: /etc/default/minifirewall
|
||||
register: default_minifirewall
|
||||
|
||||
- block:
|
||||
- name: configuration is copied
|
||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
|
||||
|
||||
- name: configuraion is customized
|
||||
replace:
|
||||
dest: /etc/default/minifirewall
|
||||
regexp: '{{ item.regexp }}'
|
||||
replace: '{{ item.replace }}'
|
||||
with_items:
|
||||
- { regexp: "^(INT)='.*'", replace: "\\1='{{ minifirewall_int }}'" }
|
||||
- { regexp: "^(INTLAN)='.*'", replace: "\\1='{{ minifirewall_intlan }}'" }
|
||||
- { regexp: "^(IPV6)='.*'", replace: "\\1='{{ minifirewall_ipv6 }}'" }
|
||||
- { regexp: "^(TRUSTEDIPS)='.*'", replace: "\\1='{{ minifirewall_trusted_ips | join(' ') }}'" }
|
||||
- { regexp: "^(PRIVILEGIEDIPS)='.*'", replace: "\\1='{{ minifirewall_privilegied_ips | join(' ') }}'" }
|
||||
when: not default_minifirewall.stat.exists
|
||||
- include: config.yml
|
||||
|
|
Loading…
Reference in a new issue