From 688ecab5cf33b05bd1629f4702a019cfd0b8753a Mon Sep 17 00:00:00 2001 From: az Date: Tue, 7 May 2024 22:42:16 +0200 Subject: [PATCH] playbook.yml aktualisiert --- playbook.yml | 206 ++++++++++++++++++++++++++------------------------- 1 file changed, 104 insertions(+), 102 deletions(-) diff --git a/playbook.yml b/playbook.yml index 5d8bfd3..7175e89 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,116 +1,118 @@ --- +- name: ensure safe environment for exams + hosts: localhost # to verify ufw configuration run: # sudo ufw status verbose + tasks: + - name: Install ufw + apt: package=ufw state=present -- name: Install ufw - apt: package=ufw state=present + - name: Configure ufw defaults + ufw: direction={{ item.direction }} policy={{ item.policy }} + with_items: + - { direction: 'incoming', policy: 'deny' } + - { direction: 'outgoing', policy: 'deny' } -- name: Configure ufw defaults - ufw: direction={{ item.direction }} policy={{ item.policy }} - with_items: - - { direction: 'incoming', policy: 'deny' } - - { direction: 'outgoing', policy: 'deny' } + # disable ipv6 + - lineinfile: + path: /etc/default/ufw + state: present + regexp: '^IPV6' + line: 'IPV6=no' -# disable ipv6 -- lineinfile: - path: /etc/default/ufw - state: present - regexp: '^IPV6' - line: 'IPV6=no' + - name: Enable ufw logging + ufw: logging=off -- name: Enable ufw logging - ufw: logging=off + - name: Commenting a line. + replace: + path: /etc/ufw/before.rules + regexp: '(.*limit --limit*)' + replace: '#\1' -- name: Commenting a line. - replace: - path: /etc/ufw/before.rules - regexp: '(.*limit --limit*)' - replace: '#\1' + - name: Allow all access to tcp port 123 + ufw: + rule: allow + port: '123' + direction: '{{ item }}' + with_items: + - in + - out -- name: Allow all access to tcp port 123 - ufw: - rule: allow - port: '123' - direction: '{{ item }}' - with_items: - - in - - out + - name: Allow SSH-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '22' + with_items: + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } + - name: Allow https-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '443' + with_items: + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } -- name: Allow SSH-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '22' - with_items: - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } -- name: Allow https-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '443' - with_items: - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } + - name: Enable ufw + ufw: state=enabled -- name: Enable ufw - ufw: state=enabled + - name: Allow dns + ufw: rule={{ item.rule }} port={{ item.port }} + with_items: + - { rule: 'allow', port: '53'} + -- name: Allow dns - ufw: rule={{ item.rule }} port={{ item.port }} - with_items: - - { rule: 'allow', port: '53'} - + - name: start ufw service + service: + name: ufw + state: restarted -- name: start ufw service - service: - name: ufw - state: restarted - -- name: purge some prior installed packages - apt: - name: - - task-kde-desktop - - task-german-kde-desktop - - task-german-desktop - - xdg-desktop-portal-kde - - xdg-desktop-portal-wlr # share screen in browser - - kde-full - - akonadi-backend-sqlite - - thunderbird-l10n-de - - webext-privacy-badger - - webext-ublock-origin-firefox - - webext-ublock-origin-chromium - - vlc - - gimp - - inkscape - - flameshot - - bluefish - - git - - gitk - - gitg - - nmap - - net-tools - - ghex - - thonny - - spyder - - mu-editor - - dia - - vym - - tree - - sqlite3 - - kicad - - kicad-doc-de - autoremove: yes - state: absent + - name: purge some prior installed packages + apt: + name: + - task-kde-desktop + - task-german-kde-desktop + - task-german-desktop + - xdg-desktop-portal-kde + - xdg-desktop-portal-wlr # share screen in browser + - kde-full + - akonadi-backend-sqlite + - thunderbird-l10n-de + - webext-privacy-badger + - webext-ublock-origin-firefox + - webext-ublock-origin-chromium + - vlc + - gimp + - inkscape + - flameshot + - bluefish + - git + - gitk + - gitg + - nmap + - net-tools + - ghex + - thonny + - spyder + - mu-editor + - dia + - vym + - tree + - sqlite3 + - kicad + - kicad-doc-de + autoremove: yes + state: absent