diff --git a/playbook.yml b/playbook.yml index eceb28f..63ee649 100644 --- a/playbook.yml +++ b/playbook.yml @@ -2,17 +2,19 @@ - name: ensure safe environment for exams hosts: localhost vars: - - config_ufw: true - pruefungsuser: "pruefling" - pruefungsgruppe: "prueflinge" - pruefungspasswort: "pruefung" + environment: + PATH: "/sbin:{{ ansible_env.PATH }}" + # to verify ufw configuration run: # sudo ufw status verbose roles: - role: pruefungsuser - role: libreoffice - + - role: ufw tasks: diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml index f3b3c2c..4d566d9 100644 --- a/roles/ufw/tasks/main.yml +++ b/roles/ufw/tasks/main.yml @@ -2,12 +2,12 @@ apt: package=ufw state=present - name: Configure ufw defaults - ufw: direction={{ item.direction }} policy={{ item.policy }} - with_items: + ufw: + direction: "{{ item.direction }}" + policy: "{{ item.policy }}" + loop: - { direction: 'incoming', policy: 'deny' } - { direction: 'outgoing', policy: 'deny' } - environment: - PATH: /sbin:{{ ansible_env.PATH }} # disable ipv6 - lineinfile: @@ -17,99 +17,42 @@ line: 'IPV6=no' - name: Enable ufw logging - ufw: logging=off - environment: - PATH: /sbin:{{ ansible_env.PATH }} + ufw: + logging: off - name: Commenting a line. replace: path: /etc/ufw/before.rules regexp: '^(?!#)(.*limit --limit*)' replace: '#\1' - when: config_ufw -- name: Allow all access to tcp port 123 + +- name: Allow all access to tcp port 3142 ufw: rule: allow port: '3142' direction: '{{ item }}' - with_items: + loop: - in - out - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} -- name: Allow SSH-Access to some servers +- name: set some allow rules ufw: rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '22' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} -- name: Allow https-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '443' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.109.252/32' } - - { direction: 'out', destination: '10.16.109.252/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - - { direction: 'in', destination: '162.55.5.40/32' } - - { direction: 'out', destination: '162.55.5.40/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} -- name: Allow apt-proxy-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '3142' - with_items: - - { direction: 'in', destination: '10.0.2.254/32' } - - { direction: 'out', destination: '10.0.2.243/32' } - - { direction: 'in', destination: '10.16.1.3/32' } - - { direction: 'out', destination: '10.16.1.3/32' } - environment: - PATH: /sbin:{{ ansible_env.PATH }} -- name: Allow DNS-Access to some servers - ufw: - rule: allow - direction: '{{ item.direction }}' - dest: '{{ item.destination }}' - port: '53' - with_items: - - { direction: 'in', destination: '10.0.0.1/32' } - - { direction: 'out', destination: '10.0.0.1/32' } - - { direction: 'in', destination: '10.16.1.1/32' } - - { direction: 'out', destination: '10.16.1.1/32' } - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} -- name: Allow dns - ufw: rule={{ item.rule }} port={{ item.port }} - with_items: - - { rule: 'allow', port: '53'} - when: config_ufw - environment: - PATH: /sbin:{{ ansible_env.PATH }} \ No newline at end of file + port: "{{ item.port }}" + direction: "{{ item.direction }}" + dest: "{{ item.destination }}" + loop: + - { port: '22', direction: 'in', destination: '10.0.0.0/24' } + - { port: '22', direction: 'out', destination: '10.0.0.0/24' } + - { port: '22', direction: 'in', destination: '10.16.0.0/12' } + - { port: '22', direction: 'out', destination: '10.16.0.0/12' } + - { port: '22', direction: 'in', destination: '162.55.5.40/32' } + - { port: '22', direction: 'out', destination: '162.55.5.40/32' } + - { port: '53', direction: 'in', destination: '10.16.0.0/12' } + - { port: '53', direction: 'out', destination: '10.16.0.0/12' } + - { port: '443', direction: 'in', destination: '10.16.0.0/12' } + - { port: '443', direction: 'out', destination: '10.16.0.0/12' } + - { port: '443', direction: 'in', destination: '162.55.5.40/32' } + - { port: '443', direction: 'out', destination: '162.55.5.40/32' } + +