forked from evolix/ansible-roles
Minifirewall: extend configuration abilities with blocks
This commit is contained in:
parent
7634830bbc
commit
9570efcaed
|
@ -1,6 +1,6 @@
|
||||||
# minifirewall
|
# minifirewall
|
||||||
|
|
||||||
Install minifirewall a simple and versatile local firewall.
|
Installation of minifirewall a simple and versatile local firewall.
|
||||||
|
|
||||||
The firewall is not started by default, but an init script is installed.
|
The firewall is not started by default, but an init script is installed.
|
||||||
|
|
||||||
|
@ -16,4 +16,6 @@ Everything is in the `tasks/main.yml` file.
|
||||||
* `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
|
* `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
|
||||||
* `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
|
* `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
|
||||||
|
|
||||||
Some IP/hosts must be configured or the server will be inaccessible via network.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
||||||
|
**Some IP/hosts must be configured or the server will be inaccessible via network.**
|
||||||
|
|
|
@ -6,3 +6,12 @@ minifirewall_ipv6: "on"
|
||||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||||
minifirewall_trusted_ips: []
|
minifirewall_trusted_ips: []
|
||||||
minifirewall_privilegied_ips: []
|
minifirewall_privilegied_ips: []
|
||||||
|
|
||||||
|
minifirewall_protected_ports_tcp: [22]
|
||||||
|
minifirewall_protected_ports_udp: []
|
||||||
|
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
|
||||||
|
minifirewall_public_ports_udp: [53]
|
||||||
|
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
|
||||||
|
minifirewall_semipublic_ports_udp: []
|
||||||
|
minifirewall_private_ports_tcp: [5666]
|
||||||
|
minifirewall_private_ports_udp: []
|
||||||
|
|
57
minifirewall/tasks/config.yml
Normal file
57
minifirewall/tasks/config.yml
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Begin marker for IP addresses
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
|
insertbefore: '^# Main interface'
|
||||||
|
|
||||||
|
- name: End marker for IP addresses
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
|
insertafter: '^PRIVILEGIEDIPS='
|
||||||
|
|
||||||
|
- name: Configure IP addresses
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
|
content: |
|
||||||
|
INT='{{ minifirewall_int }}'
|
||||||
|
IPV6='{{ minifirewall_ipv6 }}'
|
||||||
|
INTLAN='{{ minifirewall_intlan }}'
|
||||||
|
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
||||||
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
||||||
|
|
||||||
|
|
||||||
|
- name: Begin marker for ports
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
|
insertbefore: '^# Protected services'
|
||||||
|
|
||||||
|
- name: End marker for ports
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
|
insertafter: '^SERVICESUDP3='
|
||||||
|
|
||||||
|
- name: Configure ports
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
create: no
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
|
content: |
|
||||||
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
||||||
|
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
||||||
|
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
||||||
|
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
||||||
|
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
||||||
|
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
||||||
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
||||||
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
29
minifirewall/tasks/install.yml
Normal file
29
minifirewall/tasks/install.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: clone git repository
|
||||||
|
git:
|
||||||
|
repo: "{{ minifirewall_git_url}}"
|
||||||
|
dest: "{{ minifirewall_checkout_path }}"
|
||||||
|
clone: yes
|
||||||
|
|
||||||
|
# WARN: these tasks copy the file if there are not already there
|
||||||
|
# They don't update files.
|
||||||
|
|
||||||
|
- name: is init script present?
|
||||||
|
stat:
|
||||||
|
path: /etc/init.d/minifirewall
|
||||||
|
register: init_minifirewall
|
||||||
|
|
||||||
|
- name: init script is copied
|
||||||
|
command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
|
||||||
|
when: not init_minifirewall.stat.exists
|
||||||
|
|
||||||
|
|
||||||
|
- name: is configuration present?
|
||||||
|
stat:
|
||||||
|
path: /etc/default/minifirewall
|
||||||
|
register: default_minifirewall
|
||||||
|
|
||||||
|
- name: configuration is copied
|
||||||
|
command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
|
||||||
|
when: not default_minifirewall.stat.exists
|
|
@ -1,42 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: clone git repository
|
- include: install.yml
|
||||||
git:
|
|
||||||
repo: "{{ minifirewall_git_url}}"
|
|
||||||
dest: "{{ minifirewall_checkout_path }}"
|
|
||||||
clone: yes
|
|
||||||
|
|
||||||
# WARN: these tasks copy the file if there are not already there
|
- include: config.yml
|
||||||
# They don't update files.
|
|
||||||
|
|
||||||
- name: is init script present?
|
|
||||||
stat:
|
|
||||||
path: /etc/init.d/minifirewall
|
|
||||||
register: init_minifirewall
|
|
||||||
|
|
||||||
- name: init script is copied
|
|
||||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
|
|
||||||
when: not init_minifirewall.stat.exists
|
|
||||||
|
|
||||||
|
|
||||||
- name: is configuration present?
|
|
||||||
stat:
|
|
||||||
path: /etc/default/minifirewall
|
|
||||||
register: default_minifirewall
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: configuration is copied
|
|
||||||
command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
|
|
||||||
|
|
||||||
- name: configuraion is customized
|
|
||||||
replace:
|
|
||||||
dest: /etc/default/minifirewall
|
|
||||||
regexp: '{{ item.regexp }}'
|
|
||||||
replace: '{{ item.replace }}'
|
|
||||||
with_items:
|
|
||||||
- { regexp: "^(INT)='.*'", replace: "\\1='{{ minifirewall_int }}'" }
|
|
||||||
- { regexp: "^(INTLAN)='.*'", replace: "\\1='{{ minifirewall_intlan }}'" }
|
|
||||||
- { regexp: "^(IPV6)='.*'", replace: "\\1='{{ minifirewall_ipv6 }}'" }
|
|
||||||
- { regexp: "^(TRUSTEDIPS)='.*'", replace: "\\1='{{ minifirewall_trusted_ips | join(' ') }}'" }
|
|
||||||
- { regexp: "^(PRIVILEGIEDIPS)='.*'", replace: "\\1='{{ minifirewall_privilegied_ips | join(' ') }}'" }
|
|
||||||
when: not default_minifirewall.stat.exists
|
|
||||||
|
|
Loading…
Reference in a new issue