evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity
ansible-roles/minifirewall/tasks/config.yml
Jérémy Lecour cda0932aad whitespaces
2017-03-30 16:05:46 +02:00

107 lines
3.4 KiB
YAML
Raw Blame History

---
- name: Check if minifirewall is running
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
failed_when: False
check_mode: no
register: minifirewall_is_running
- debug:
msg: Minifirewall IS running
when: minifirewall_is_running.rc == 0
- debug:
msg: Minifirewall IS NOT running
when: minifirewall_is_running.rc != 0
- name: Begin marker for IP addresses
lineinfile:
dest: /etc/default/minifirewall
create: no
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore: '^# Main interface'
- name: End marker for IP addresses
lineinfile:
dest: /etc/default/minifirewall
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter: '^PRIVILEGIEDIPS='
- fail:
msg: You must provide at least 1 trusted IP
when: minifirewall_trusted_ips == []
- name: Configure IP addresses
blockinfile:
dest: /etc/default/minifirewall
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
content: |
# Main interface
INT='{{ minifirewall_int }}'
# IPv6
IPV6='{{ minifirewall_ipv6 }}'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='{{ minifirewall_intlan }}'
# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
register: minifirewall_config_ips
- name: Begin marker for ports
lineinfile:
dest: /etc/default/minifirewall
create: no
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore: '^# Protected services'
- name: End marker for ports
lineinfile:
dest: /etc/default/minifirewall
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter: '^SERVICESUDP3='
- name: Configure ports
blockinfile:
dest: /etc/default/minifirewall
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
content: |
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
# Public services (IPv4/IPv6)
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
# Semi-public services (IPv4)
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
# Private services (IPv4)
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
register: minifirewall_config_ports
- name: restart minifirewall
# service:
# name: minifirewall
# state: restarted
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
Reference in a new issue View git blame Copy permalink