idempotenz hergestellt

This commit is contained in:
Jesko 2024-05-08 16:45:42 +02:00
parent 620a814d74
commit 025d0bac35
2 changed files with 115 additions and 113 deletions

View File

@ -15,120 +15,7 @@
tasks: tasks:
- name: Install ufw
apt: package=ufw state=present
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
# disable ipv6
- lineinfile:
path: /etc/default/ufw
state: present
regexp: '^IPV6'
line: 'IPV6=no'
- name: Enable ufw logging
ufw: logging=off
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Commenting a line.
replace:
path: /etc/ufw/before.rules
regexp: '(.*limit --limit*)'
replace: '#\1'
when: config_ufw
- name: Allow all access to tcp port 123
ufw:
rule: allow
port: '3142'
direction: '{{ item }}'
with_items:
- in
- out
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow SSH-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '22'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow apt-proxy-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '3142'
with_items:
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.1.3/32' }
- { direction: 'out', destination: '10.16.1.3/32' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow DNS-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '53'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow dns
ufw: rule={{ item.rule }} port={{ item.port }}
with_items:
- { rule: 'allow', port: '53'}
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: disable mounting of usb flash drives - name: disable mounting of usb flash drives
file: file:
path: /media path: /media

115
roles/ufw/tasks/main.yml Normal file
View File

@ -0,0 +1,115 @@
- name: Install ufw
apt: package=ufw state=present
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
# disable ipv6
- lineinfile:
path: /etc/default/ufw
state: present
regexp: '^IPV6'
line: 'IPV6=no'
- name: Enable ufw logging
ufw: logging=off
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Commenting a line.
replace:
path: /etc/ufw/before.rules
regexp: '^(?!#)(.*limit --limit*)'
replace: '#\1'
when: config_ufw
- name: Allow all access to tcp port 123
ufw:
rule: allow
port: '3142'
direction: '{{ item }}'
with_items:
- in
- out
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow SSH-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '22'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow apt-proxy-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '3142'
with_items:
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.1.3/32' }
- { direction: 'out', destination: '10.16.1.3/32' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow DNS-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '53'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow dns
ufw: rule={{ item.rule }} port={{ item.port }}
with_items:
- { rule: 'allow', port: '53'}
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}