From cbac698e3150a26a0dca5351cb1f7c02ed37a5ba Mon Sep 17 00:00:00 2001 From: az Date: Tue, 7 May 2024 22:34:14 +0200 Subject: [PATCH] =?UTF-8?q?playbook.yml=20hinzugef=C3=BCgt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playbook.yml | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 playbook.yml diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..5d8bfd3 --- /dev/null +++ b/playbook.yml @@ -0,0 +1,116 @@ +--- + +# to verify ufw configuration run: +# sudo ufw status verbose + +- name: Install ufw + apt: package=ufw state=present + +- name: Configure ufw defaults + ufw: direction={{ item.direction }} policy={{ item.policy }} + with_items: + - { direction: 'incoming', policy: 'deny' } + - { direction: 'outgoing', policy: 'deny' } + +# disable ipv6 +- lineinfile: + path: /etc/default/ufw + state: present + regexp: '^IPV6' + line: 'IPV6=no' + +- name: Enable ufw logging + ufw: logging=off + +- name: Commenting a line. + replace: + path: /etc/ufw/before.rules + regexp: '(.*limit --limit*)' + replace: '#\1' + +- name: Allow all access to tcp port 123 + ufw: + rule: allow + port: '123' + direction: '{{ item }}' + with_items: + - in + - out + +- name: Allow SSH-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '22' + with_items: + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } +- name: Allow https-Access to some servers + ufw: + rule: allow + direction: '{{ item.direction }}' + dest: '{{ item.destination }}' + port: '443' + with_items: + - { direction: 'in', destination: '10.16.109.252/32' } + - { direction: 'out', destination: '10.16.109.252/32' } + - { direction: 'in', destination: '10.16.1.1/32' } + - { direction: 'out', destination: '10.16.1.1/32' } + - { direction: 'in', destination: '162.55.5.40/32' } + - { direction: 'out', destination: '162.55.5.40/32' } + +- name: Enable ufw + ufw: state=enabled + +- name: Allow dns + ufw: rule={{ item.rule }} port={{ item.port }} + with_items: + - { rule: 'allow', port: '53'} + + +- name: start ufw service + service: + name: ufw + state: restarted + +- name: purge some prior installed packages + apt: + name: + - task-kde-desktop + - task-german-kde-desktop + - task-german-desktop + - xdg-desktop-portal-kde + - xdg-desktop-portal-wlr # share screen in browser + - kde-full + - akonadi-backend-sqlite + - thunderbird-l10n-de + - webext-privacy-badger + - webext-ublock-origin-firefox + - webext-ublock-origin-chromium + - vlc + - gimp + - inkscape + - flameshot + - bluefish + - git + - gitk + - gitg + - nmap + - net-tools + - ghex + - thonny + - spyder + - mu-editor + - dia + - vym + - tree + - sqlite3 + - kicad + - kicad-doc-de + autoremove: yes + state: absent