playbook.yml aktualisiert

This commit is contained in:
az 2024-05-07 22:42:16 +02:00
parent cbac698e31
commit 688ecab5cf
1 changed files with 104 additions and 102 deletions

View File

@ -1,116 +1,118 @@
--- ---
- name: ensure safe environment for exams
hosts: localhost
# to verify ufw configuration run: # to verify ufw configuration run:
# sudo ufw status verbose # sudo ufw status verbose
tasks:
- name: Install ufw
apt: package=ufw state=present
- name: Install ufw - name: Configure ufw defaults
apt: package=ufw state=present ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' }
- name: Configure ufw defaults # disable ipv6
ufw: direction={{ item.direction }} policy={{ item.policy }} - lineinfile:
with_items: path: /etc/default/ufw
- { direction: 'incoming', policy: 'deny' } state: present
- { direction: 'outgoing', policy: 'deny' } regexp: '^IPV6'
line: 'IPV6=no'
# disable ipv6 - name: Enable ufw logging
- lineinfile: ufw: logging=off
path: /etc/default/ufw
state: present
regexp: '^IPV6'
line: 'IPV6=no'
- name: Enable ufw logging - name: Commenting a line.
ufw: logging=off replace:
path: /etc/ufw/before.rules
regexp: '(.*limit --limit*)'
replace: '#\1'
- name: Commenting a line. - name: Allow all access to tcp port 123
replace: ufw:
path: /etc/ufw/before.rules rule: allow
regexp: '(.*limit --limit*)' port: '123'
replace: '#\1' direction: '{{ item }}'
with_items:
- in
- out
- name: Allow all access to tcp port 123 - name: Allow SSH-Access to some servers
ufw: ufw:
rule: allow rule: allow
port: '123' direction: '{{ item.direction }}'
direction: '{{ item }}' dest: '{{ item.destination }}'
with_items: port: '22'
- in with_items:
- out - { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
- name: Allow SSH-Access to some servers - name: Enable ufw
ufw: ufw: state=enabled
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '22'
with_items:
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
- name: Enable ufw - name: Allow dns
ufw: state=enabled ufw: rule={{ item.rule }} port={{ item.port }}
with_items:
- { rule: 'allow', port: '53'}
- name: Allow dns - name: start ufw service
ufw: rule={{ item.rule }} port={{ item.port }} service:
with_items: name: ufw
- { rule: 'allow', port: '53'} state: restarted
- name: start ufw service - name: purge some prior installed packages
service: apt:
name: ufw name:
state: restarted - task-kde-desktop
- task-german-kde-desktop
- name: purge some prior installed packages - task-german-desktop
apt: - xdg-desktop-portal-kde
name: - xdg-desktop-portal-wlr # share screen in browser
- task-kde-desktop - kde-full
- task-german-kde-desktop - akonadi-backend-sqlite
- task-german-desktop - thunderbird-l10n-de
- xdg-desktop-portal-kde - webext-privacy-badger
- xdg-desktop-portal-wlr # share screen in browser - webext-ublock-origin-firefox
- kde-full - webext-ublock-origin-chromium
- akonadi-backend-sqlite - vlc
- thunderbird-l10n-de - gimp
- webext-privacy-badger - inkscape
- webext-ublock-origin-firefox - flameshot
- webext-ublock-origin-chromium - bluefish
- vlc - git
- gimp - gitk
- inkscape - gitg
- flameshot - nmap
- bluefish - net-tools
- git - ghex
- gitk - thonny
- gitg - spyder
- nmap - mu-editor
- net-tools - dia
- ghex - vym
- thonny - tree
- spyder - sqlite3
- mu-editor - kicad
- dia - kicad-doc-de
- vym autoremove: yes
- tree state: absent
- sqlite3
- kicad
- kicad-doc-de
autoremove: yes
state: absent