From 025d0bac3581866b92e0a5ce4f7b60d8148de26f Mon Sep 17 00:00:00 2001 From: Jesko Date: Wed, 8 May 2024 16:45:42 +0200 Subject: [PATCH] idempotenz hergestellt --- playbook.yml | 113 -------------------------------------- roles/ufw/tasks/main.yml | 115 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 113 deletions(-) create mode 100644 roles/ufw/tasks/main.yml diff --git a/playbook.yml b/playbook.yml index 5721447..eceb28f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -15,120 +15,7 @@ tasks: - - name: Install ufw - apt: package=ufw state=present - - name: Configure ufw defaults - ufw: direction={{ item.direction }} policy={{ item.policy }} - with_items: - - { direction: 'incoming', policy: 'deny' } - - { direction: 'outgoing', policy: 'deny' } - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - # disable ipv6 - - lineinfile: - path: /etc/default/ufw - state: present - regexp: '^IPV6' - line: 'IPV6=no' - - - name: Enable ufw logging - ufw: logging=off - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - name: Commenting a line. - replace: - path: /etc/ufw/before.rules - regexp: '(.*limit --limit*)' - replace: '#\1' - when: config_ufw - - name: Allow all access to tcp port 123 - ufw: - rule: allow - port: '3142' - direction: '{{ item }}' - with_items: - - in - - out - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - - name: Allow SSH-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '22' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - name: Allow https-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '443' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - name: Allow apt-proxy-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '3142' - with_items: - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.1.3/32' } - - { direction: 'out', destination: '10.16.1.3/32' } - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - name: Allow DNS-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '53' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} - - name: Allow dns - ufw: rule={{ item.rule }} port={{ item.port }} - with_items: - - { rule: 'allow', port: '53'} - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} - name: disable mounting of usb flash drives file: path: /media diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml new file mode 100644 index 0000000..f3b3c2c --- /dev/null +++ b/roles/ufw/tasks/main.yml @@ -0,0 +1,115 @@ +- name: Install ufw + apt: package=ufw state=present + +- name: Configure ufw defaults + ufw: direction={{ item.direction }} policy={{ item.policy }} + with_items: + - { direction: 'incoming', policy: 'deny' } + - { direction: 'outgoing', policy: 'deny' } + environment: + PATH: /sbin:{{ ansible_env.PATH }} + +# disable ipv6 +- lineinfile: + path: /etc/default/ufw + state: present + regexp: '^IPV6' + line: 'IPV6=no' + +- name: Enable ufw logging + ufw: logging=off + environment: + PATH: /sbin:{{ ansible_env.PATH }} + +- name: Commenting a line. + replace: + path: /etc/ufw/before.rules + regexp: '^(?!#)(.*limit --limit*)' + replace: '#\1' + when: config_ufw +- name: Allow all access to tcp port 123 + ufw: + rule: allow + port: '3142' + direction: '{{ item }}' + with_items: + - in + - out + when: config_ufw + environment: + PATH: /sbin:{{ ansible_env.PATH }} + +- name: Allow SSH-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '22' + with_items: + - { direction: 'in', destination: '10.0.0.1/32' } + - { direction: 'out', destination: '10.0.0.1/32' } + - { direction: 'in', destination: '10.0.2.254/32' } + - { direction: 'out', destination: '10.0.2.243/32' } + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } + when: config_ufw + environment: + PATH: /sbin:{{ ansible_env.PATH }} +- name: Allow https-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '443' + with_items: + - { direction: 'in', destination: '10.0.0.1/32' } + - { direction: 'out', destination: '10.0.0.1/32' } + - { direction: 'in', destination: '10.0.2.254/32' } + - { direction: 'out', destination: '10.0.2.243/32' } + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } + when: config_ufw + environment: + PATH: /sbin:{{ ansible_env.PATH }} +- name: Allow apt-proxy-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '3142' + with_items: + - { direction: 'in', destination: '10.0.2.254/32' } + - { direction: 'out', destination: '10.0.2.243/32' } + - { direction: 'in', destination: '10.16.1.3/32' } + - { direction: 'out', destination: '10.16.1.3/32' } + environment: + PATH: /sbin:{{ ansible_env.PATH }} +- name: Allow DNS-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '53' + with_items: + - { direction: 'in', destination: '10.0.0.1/32' } + - { direction: 'out', destination: '10.0.0.1/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + when: config_ufw + environment: + PATH: /sbin:{{ ansible_env.PATH }} +- name: Allow dns + ufw: rule={{ item.rule }} port={{ item.port }} + with_items: + - { rule: 'allow', port: '53'} + when: config_ufw + environment: + PATH: /sbin:{{ ansible_env.PATH }} \ No newline at end of file