playbook.yml aktualisiert

2024-05-07 22:42:16 +02:00 · 2024-05-07 22:42:16 +02:00 · 688ecab5cf
parent cbac698e31
commit 688ecab5cf
1 changed files with 104 additions and 102 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -1,116 +1,118 @@
 ---
+- name: ensure safe environment for exams
+  hosts: localhost

 # to verify ufw configuration run:
 # sudo ufw status verbose
+  tasks:
+    - name: Install ufw
+      apt: package=ufw state=present

- name: Install ufw
-  apt: package=ufw state=present
+    - name: Configure ufw defaults
+      ufw: direction={{ item.direction }} policy={{ item.policy }}
+      with_items:
+        - { direction: 'incoming', policy: 'deny' }
+        - { direction: 'outgoing', policy: 'deny' }

- name: Configure ufw defaults
-  ufw: direction={{ item.direction }} policy={{ item.policy }}
-  with_items:
-    - { direction: 'incoming', policy: 'deny' }
-    - { direction: 'outgoing', policy: 'deny' }
+    # disable ipv6
+    - lineinfile:
+        path: /etc/default/ufw
+        state: present
+        regexp: '^IPV6'
+        line: 'IPV6=no'

-# disable ipv6
- lineinfile:
-    path: /etc/default/ufw
-    state: present
-    regexp: '^IPV6'
-    line: 'IPV6=no'
+    - name: Enable ufw logging
+      ufw: logging=off

- name: Enable ufw logging
-  ufw: logging=off
+    - name: Commenting a line.
+      replace:
+        path: /etc/ufw/before.rules
+        regexp: '(.*limit --limit*)'
+        replace: '#\1'

- name: Commenting a line.
-  replace:
-    path: /etc/ufw/before.rules
-    regexp: '(.*limit --limit*)'
-    replace: '#\1'
+    - name: Allow all access to tcp port 123
+      ufw:
+        rule: allow
+        port: '123'
+        direction: '{{ item }}'
+      with_items:
+        - in
+        - out

- name: Allow all access to tcp port 123
-  ufw:
-    rule: allow
-    port: '123'
-    direction: '{{ item }}'
-  with_items:
-    - in
-    - out
+    - name: Allow SSH-Access to some servers
+      ufw:
+        rule: allow
+        direction: '{{ item.direction }}'
+        dest: '{{ item.destination }}'
+        port: '22'
+      with_items:
+        - { direction: 'in',  destination: '10.16.109.252/32' }
+        - { direction: 'out', destination: '10.16.109.252/32' }
+        - { direction: 'in',  destination: '10.16.1.1/32' }
+        - { direction: 'out', destination: '10.16.1.1/32' }
+        - { direction: 'in',  destination: '162.55.5.40/32' }
+        - { direction: 'out', destination: '162.55.5.40/32' }
+    - name: Allow https-Access to some servers
+      ufw:
+        rule: allow
+        direction: '{{ item.direction }}'
+        dest: '{{ item.destination }}'
+        port: '443'
+      with_items:
+        - { direction: 'in',  destination: '10.16.109.252/32' }
+        - { direction: 'out', destination: '10.16.109.252/32' }
+        - { direction: 'in',  destination: '10.16.1.1/32' }
+        - { direction: 'out', destination: '10.16.1.1/32' }
+        - { direction: 'in',  destination: '162.55.5.40/32' }
+        - { direction: 'out', destination: '162.55.5.40/32' }

- name: Allow SSH-Access to some servers
-  ufw:
-    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '22'
-  with_items:
-    - { direction: 'in',  destination: '10.16.109.252/32' }
-    - { direction: 'out', destination: '10.16.109.252/32' }
-    - { direction: 'in',  destination: '10.16.1.1/32' }
-    - { direction: 'out', destination: '10.16.1.1/32' }
-    - { direction: 'in',  destination: '162.55.5.40/32' }
-    - { direction: 'out', destination: '162.55.5.40/32' }
- name: Allow https-Access to some servers
-  ufw:
-    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '443'
-  with_items:
-    - { direction: 'in',  destination: '10.16.109.252/32' }
-    - { direction: 'out', destination: '10.16.109.252/32' }
-    - { direction: 'in',  destination: '10.16.1.1/32' }
-    - { direction: 'out', destination: '10.16.1.1/32' }
-    - { direction: 'in',  destination: '162.55.5.40/32' }
-    - { direction: 'out', destination: '162.55.5.40/32' }
+    - name: Enable ufw
+      ufw: state=enabled

- name: Enable ufw
-  ufw: state=enabled
-
- name: Allow dns
-  ufw: rule={{ item.rule }} port={{ item.port }}
-  with_items:
-     - { rule: 'allow', port: '53'}
+    - name: Allow dns
+      ufw: rule={{ item.rule }} port={{ item.port }}
+      with_items:
+        - { rule: 'allow', port: '53'}
    

- name: start ufw service
-  service: 
-    name: ufw
-    state: restarted
+    - name: start ufw service
+      service: 
+        name: ufw
+        state: restarted

- name: purge some prior installed packages
-  apt: 
-    name: 
-      - task-kde-desktop
-      - task-german-kde-desktop
-      - task-german-desktop
-      - xdg-desktop-portal-kde
-      - xdg-desktop-portal-wlr # share screen in browser
-      - kde-full
-      - akonadi-backend-sqlite
-      - thunderbird-l10n-de
-      - webext-privacy-badger
-      - webext-ublock-origin-firefox
-      - webext-ublock-origin-chromium
-      - vlc
-      - gimp
-      - inkscape
-      - flameshot
-      - bluefish
-      - git
-      - gitk
-      - gitg
-      - nmap
-      - net-tools
-      - ghex
-      - thonny
-      - spyder
-      - mu-editor
-      - dia
-      - vym
-      - tree
-      - sqlite3
-      - kicad
-      - kicad-doc-de
-    autoremove: yes
-    state: absent
+    - name: purge some prior installed packages
+      apt: 
+        name: 
+          - task-kde-desktop
+          - task-german-kde-desktop
+          - task-german-desktop
+          - xdg-desktop-portal-kde
+          - xdg-desktop-portal-wlr # share screen in browser
+          - kde-full
+          - akonadi-backend-sqlite
+          - thunderbird-l10n-de
+          - webext-privacy-badger
+          - webext-ublock-origin-firefox
+          - webext-ublock-origin-chromium
+          - vlc
+          - gimp
+          - inkscape
+          - flameshot
+          - bluefish
+          - git
+          - gitk
+          - gitg
+          - nmap
+          - net-tools
+          - ghex
+          - thonny
+          - spyder
+          - mu-editor
+          - dia
+          - vym
+          - tree
+          - sqlite3
+          - kicad
+          - kicad-doc-de
+        autoremove: yes
+        state: absent