Ansible roles by Evolix
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
ansible-roles/minifirewall/tasks/config.yml

296 lines
9.5 KiB

---
- debug:
var: minifirewall_trusted_ips
verbosity: 1
- debug:
var: minifirewall_privilegied_ips
verbosity: 1
- name: Stat minifirewall config file (before)
stat:
path: "/etc/default/minifirewall"
register: minifirewall_before
- name: Check if minifirewall is running
shell:
cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
failed_when: False
check_mode: no
register: minifirewall_is_running
- debug:
var: minifirewall_is_running
verbosity: 1
- name: Begin marker for IP addresses
lineinfile:
dest: "/etc/default/minifirewall"
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore: '^# Main interface'
create: no
- name: End marker for IP addresses
lineinfile:
dest: "/etc/default/minifirewall"
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter: '^PRIVILEGIEDIPS='
- name: Verify that at least 1 trusted IP is provided
assert:
that: minifirewall_trusted_ips | length > 0
msg: You must provide at least 1 trusted IP
- debug:
msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!"
when: "'0.0.0.0/0' in minifirewall_trusted_ips"
- debug:
msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!"
when: "'::/0' in minifirewall_trusted_ips"
- name: Configure IP addresses
blockinfile:
dest: "/etc/default/minifirewall"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
block: |
# Main interface
INT='{{ minifirewall_int }}'
# IPv6
IPV6='{{ minifirewall_ipv6 }}'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptables
#
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='{{ minifirewall_docker }}'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='{{ minifirewall_intlan }}'
# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
create: no
register: minifirewall_config_ips
- name: Begin marker for ports
lineinfile:
dest: "/etc/default/minifirewall"
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore: '^# Protected services'
create: no
- name: End marker for ports
lineinfile:
dest: "/etc/default/minifirewall"
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter: '^SERVICESUDP3='
create: no
- name: Configure ports
blockinfile:
dest: "/etc/default/minifirewall"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
block: |
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
# Public services (IPv4/IPv6)
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
# Semi-public services (IPv4)
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
# Private services (IPv4)
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
create: no
register: minifirewall_config_ports
- name: Configure DNSSERVEURS
lineinfile:
dest: "/etc/default/minifirewall"
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
regexp: "DNSSERVEURS=('|\").*('|\")"
create: no
when: minifirewall_dns_servers is not none
- name: Configure HTTPSITES
lineinfile:
dest: "/etc/default/minifirewall"
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
regexp: "HTTPSITES=('|\").*('|\")"
create: no
when: minifirewall_http_sites is not none
- name: Configure HTTPSSITES
lineinfile:
dest: "/etc/default/minifirewall"
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
regexp: "HTTPSSITES=('|\").*('|\")"
create: no
when: minifirewall_https_sites is not none
- name: Configure FTPSITES
lineinfile:
dest: "/etc/default/minifirewall"
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
regexp: "FTPSITES=('|\").*('|\")"
create: no
when: minifirewall_ftp_sites is not none
- name: Configure SSHOK
lineinfile:
dest: "/etc/default/minifirewall"
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
regexp: "SSHOK=('|\").*('|\")"
create: no
when: minifirewall_ssh_ok is not none
- name: Configure SMTPOK
lineinfile:
dest: "/etc/default/minifirewall"
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
regexp: "SMTPOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_ok is not none
- name: Configure SMTPSECUREOK
lineinfile:
dest: "/etc/default/minifirewall"
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
regexp: "SMTPSECUREOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_secure_ok is not none
- name: Configure NTPOK
lineinfile:
dest: "/etc/default/minifirewall"
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
regexp: "NTPOK=('|\").*('|\")"
create: no
when: minifirewall_ntp_ok is not none
- name: Configure PROXY
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXY='{{ minifirewall_proxy }}'"
regexp: "PROXY=('|\").*('|\")"
create: no
when: minifirewall_proxy is not none
- name: Configure PROXYPORT
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXYPORT='{{ minifirewall_proxyport }}'"
regexp: "PROXYPORT=('|\").*('|\")"
create: no
when: minifirewall_proxyport is not none
# Warning: keep double quotes for the value,
# since we often reference a shell variable that needs to be interpolated
- name: Configure PROXYBYPASS
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
regexp: "PROXYBYPASS=('|\").*('|\")"
create: no
when: minifirewall_proxybypass is not none
- name: Configure BACKUPSERVERS
lineinfile:
dest: "/etc/default/minifirewall"
line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
regexp: "BACKUPSERVERS=('|\").*('|\")"
create: no
when: minifirewall_backupservers is not none
- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none
- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none
- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
create: no
when: minifirewall_sysctl_accept_source_route is not none
- name: Configure SYSCTL_TCP_SYNCOOKIES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_tcp_syncookies is not none
- name: Configure SYSCTL_ICMP_REDIRECTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_redirects is not none
- name: Configure SYSCTL_RP_FILTER
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
create: no
when: minifirewall_sysctl_rp_filter is not none
- name: Configure SYSCTL_LOG_MARTIANS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_log_martians is not none
- name: Stat minifirewall config file (after)
stat:
path: "/etc/default/minifirewall"
register: minifirewall_after
- name: Schedule minifirewall restart (modern)
command: /bin/true
notify: "restart minifirewall (modern)"
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_restart_if_needed | bool
- minifirewall_is_running.rc == 0
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
- debug:
var: minifirewall_init_restart
verbosity: 2