2024-05-07 22:34:14 +02:00
|
|
|
---
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: ensure safe environment for exams
|
|
|
|
|
hosts: localhost
|
2024-05-08 09:47:30 +02:00
|
|
|
vars:
|
|
|
|
|
- config_ufw: false
|
2024-05-07 22:34:14 +02:00
|
|
|
|
|
|
|
|
# to verify ufw configuration run:
|
|
|
|
|
# sudo ufw status verbose
|
2024-05-07 22:42:16 +02:00
|
|
|
tasks:
|
|
|
|
|
- name: Install ufw
|
|
|
|
|
apt: package=ufw state=present
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Configure ufw defaults
|
|
|
|
|
ufw: direction={{ item.direction }} policy={{ item.policy }}
|
|
|
|
|
with_items:
|
|
|
|
|
- { direction: 'incoming', policy: 'deny' }
|
|
|
|
|
- { direction: 'outgoing', policy: 'deny' }
|
2024-05-08 10:26:25 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:42:16 +02:00
|
|
|
# disable ipv6
|
|
|
|
|
- lineinfile:
|
|
|
|
|
path: /etc/default/ufw
|
|
|
|
|
state: present
|
|
|
|
|
regexp: '^IPV6'
|
|
|
|
|
line: 'IPV6=no'
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Enable ufw logging
|
|
|
|
|
ufw: logging=off
|
2024-05-08 10:26:25 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Commenting a line.
|
|
|
|
|
replace:
|
|
|
|
|
path: /etc/ufw/before.rules
|
|
|
|
|
regexp: '(.*limit --limit*)'
|
|
|
|
|
replace: '#\1'
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Allow all access to tcp port 123
|
|
|
|
|
ufw:
|
|
|
|
|
rule: allow
|
|
|
|
|
port: '123'
|
|
|
|
|
direction: '{{ item }}'
|
|
|
|
|
with_items:
|
|
|
|
|
- in
|
|
|
|
|
- out
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Allow SSH-Access to some servers
|
|
|
|
|
ufw:
|
|
|
|
|
rule: allow
|
|
|
|
|
direction: '{{ item.direction }}'
|
|
|
|
|
dest: '{{ item.destination }}'
|
|
|
|
|
port: '22'
|
|
|
|
|
with_items:
|
2024-05-07 22:49:26 +02:00
|
|
|
- { direction: 'in', destination: '10.0.0.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.0.0.1/32' }
|
2024-05-07 22:42:16 +02:00
|
|
|
- { direction: 'in', destination: '10.16.109.252/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.16.109.252/32' }
|
|
|
|
|
- { direction: 'in', destination: '10.16.1.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.16.1.1/32' }
|
|
|
|
|
- { direction: 'in', destination: '162.55.5.40/32' }
|
|
|
|
|
- { direction: 'out', destination: '162.55.5.40/32' }
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-08 10:20:13 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Allow https-Access to some servers
|
|
|
|
|
ufw:
|
|
|
|
|
rule: allow
|
|
|
|
|
direction: '{{ item.direction }}'
|
|
|
|
|
dest: '{{ item.destination }}'
|
|
|
|
|
port: '443'
|
|
|
|
|
with_items:
|
2024-05-07 22:49:26 +02:00
|
|
|
- { direction: 'in', destination: '10.0.0.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.0.0.1/32' }
|
2024-05-07 22:42:16 +02:00
|
|
|
- { direction: 'in', destination: '10.16.109.252/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.16.109.252/32' }
|
|
|
|
|
- { direction: 'in', destination: '10.16.1.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.16.1.1/32' }
|
|
|
|
|
- { direction: 'in', destination: '162.55.5.40/32' }
|
|
|
|
|
- { direction: 'out', destination: '162.55.5.40/32' }
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-08 10:20:13 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:58:58 +02:00
|
|
|
- name: Allow DNS-Access to some servers
|
|
|
|
|
ufw:
|
|
|
|
|
rule: allow
|
|
|
|
|
direction: '{{ item.direction }}'
|
|
|
|
|
dest: '{{ item.destination }}'
|
|
|
|
|
port: '53'
|
|
|
|
|
with_items:
|
|
|
|
|
- { direction: 'in', destination: '10.0.0.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.0.0.1/32' }
|
|
|
|
|
- { direction: 'in', destination: '10.16.1.1/32' }
|
|
|
|
|
- { direction: 'out', destination: '10.16.1.1/32' }
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-08 10:20:13 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: Allow dns
|
|
|
|
|
ufw: rule={{ item.rule }} port={{ item.port }}
|
|
|
|
|
with_items:
|
|
|
|
|
- { rule: 'allow', port: '53'}
|
2024-05-08 09:47:30 +02:00
|
|
|
when: config_ufw
|
2024-05-08 10:20:13 +02:00
|
|
|
environment:
|
|
|
|
|
PATH: /sbin:{{ ansible_env.PATH }}
|
2024-05-08 09:25:15 +02:00
|
|
|
- name: disable mounting of usb flash drives
|
|
|
|
|
file:
|
|
|
|
|
path: /media
|
|
|
|
|
owner: root
|
|
|
|
|
mode: '700'
|
|
|
|
|
|
|
|
|
|
- name: create user group pruefung
|
|
|
|
|
group:
|
|
|
|
|
name: "pruefung"
|
|
|
|
|
state: present
|
|
|
|
|
|
|
|
|
|
- name: create user student
|
|
|
|
|
ansible.builtin.user:
|
|
|
|
|
name: "pruefung"
|
2024-05-08 09:45:06 +02:00
|
|
|
password: "{{ 'morz' | password_hash('sha512') }}"
|
2024-05-08 09:25:15 +02:00
|
|
|
shell: /bin/bash
|
|
|
|
|
comment: Prüfungsbenutzer
|
|
|
|
|
group: pruefung
|
|
|
|
|
|
|
|
|
|
- name: create .config dir for created user
|
|
|
|
|
file:
|
|
|
|
|
path: "/home/pruefung/.config/"
|
|
|
|
|
state: directory
|
|
|
|
|
mode: "700"
|
|
|
|
|
owner: "pruefung"
|
|
|
|
|
group: "pruefung"
|
|
|
|
|
|
2024-05-08 09:36:49 +02:00
|
|
|
- name: Set timezone to Europe/Vienna
|
|
|
|
|
timezone:
|
|
|
|
|
name: Europe/Vienna
|
|
|
|
|
|
|
|
|
|
- name: copy template for libreoffice
|
|
|
|
|
copy:
|
|
|
|
|
src: files/Pruefung.ott
|
|
|
|
|
dest: /home/pruefung/Pruefung.ott
|
|
|
|
|
owner: ansible
|
|
|
|
|
group: ansible
|
|
|
|
|
mode: '0644'
|
2024-05-08 09:25:15 +02:00
|
|
|
- name: make sure libreoffice uses ower template. spacing, border, font,...
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /usr/share/applications/libreoffice-writer.desktop
|
|
|
|
|
regexp: 'Exec=libreoffice --writer %U'
|
|
|
|
|
line: Exec=libreoffice --writer %U -n /home/pruefung/Pruefung.ott
|
2024-05-07 22:34:14 +02:00
|
|
|
|
2024-05-07 22:42:16 +02:00
|
|
|
- name: purge some prior installed packages
|
|
|
|
|
apt:
|
|
|
|
|
name:
|
|
|
|
|
- task-kde-desktop
|
|
|
|
|
- task-german-kde-desktop
|
|
|
|
|
- task-german-desktop
|
|
|
|
|
- xdg-desktop-portal-kde
|
2024-05-08 09:25:15 +02:00
|
|
|
- xdg-desktop-portal-wlr
|
2024-05-07 22:42:16 +02:00
|
|
|
- akonadi-backend-sqlite
|
|
|
|
|
- thunderbird-l10n-de
|
|
|
|
|
- webext-privacy-badger
|
|
|
|
|
- webext-ublock-origin-firefox
|
|
|
|
|
- webext-ublock-origin-chromium
|
|
|
|
|
- vlc
|
|
|
|
|
- gimp
|
|
|
|
|
- inkscape
|
|
|
|
|
- flameshot
|
|
|
|
|
- bluefish
|
|
|
|
|
- nmap
|
|
|
|
|
- net-tools
|
|
|
|
|
- ghex
|
|
|
|
|
- thonny
|
|
|
|
|
- spyder
|
|
|
|
|
- mu-editor
|
|
|
|
|
- dia
|
|
|
|
|
- vym
|
|
|
|
|
- tree
|
|
|
|
|
- sqlite3
|
|
|
|
|
- kicad
|
|
|
|
|
- kicad-doc-de
|
2024-05-07 22:52:32 +02:00
|
|
|
- akonadi-backend-mysql
|
|
|
|
|
- akonadi-contacts-data
|
|
|
|
|
- akonadi-mime-data
|
|
|
|
|
- akonadi-server
|
|
|
|
|
- akregator
|
|
|
|
|
- aspell
|
|
|
|
|
- aspell-de
|
2024-05-07 23:09:07 +02:00
|
|
|
- dolphin
|
|
|
|
|
- firebird3.0-common
|
|
|
|
|
- gimp-data
|
|
|
|
|
- gwenview
|
|
|
|
|
- hyphen-en-us
|
|
|
|
|
- ingerman
|
|
|
|
|
- ispell
|
|
|
|
|
- kate
|
|
|
|
|
- kcalc
|
|
|
|
|
- kmail
|
|
|
|
|
- knotes
|
|
|
|
|
- korganizer
|
|
|
|
|
- wamerican
|
2024-05-07 23:11:41 +02:00
|
|
|
- dragonplayer
|
|
|
|
|
- juk
|
2024-05-07 22:42:16 +02:00
|
|
|
autoremove: yes
|
|
|
|
|
state: absent
|
2024-05-08 10:26:25 +02:00
|
|
|
- name: intall some prior installed packages
|
|
|
|
|
apt:
|
|
|
|
|
name:
|
|
|
|
|
- htop
|
|
|
|
|
- nmap
|
|
|
|
|
state: latest
|
2024-05-07 22:49:26 +02:00
|
|
|
|
|
|
|
|
- name: Enable ufw
|
2024-05-07 22:54:54 +02:00
|
|
|
ufw: state=enabled
|
2024-05-07 22:49:26 +02:00
|
|
|
|
|
|
|
|
- name: start ufw service
|
|
|
|
|
service:
|
|
|
|
|
name: ufw
|
|
|
|
|
state: restarted
|
