--- - name: ensure safe environment for exams hosts: localhost vars: - config_ufw: true - pruefungsuser: "pruefung" # to verify ufw configuration run: # sudo ufw status verbose roles: - role: libreoffice tasks: - name: Install ufw apt: package=ufw state=present - name: Configure ufw defaults ufw: direction={{ item.direction }} policy={{ item.policy }} with_items: - { direction: 'incoming', policy: 'deny' } - { direction: 'outgoing', policy: 'deny' } environment: PATH: /sbin:{{ ansible_env.PATH }} # disable ipv6 - lineinfile: path: /etc/default/ufw state: present regexp: '^IPV6' line: 'IPV6=no' - name: Enable ufw logging ufw: logging=off environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Commenting a line. replace: path: /etc/ufw/before.rules regexp: '(.*limit --limit*)' replace: '#\1' when: config_ufw - name: Allow all access to tcp port 123 ufw: rule: allow port: '3142' direction: '{{ item }}' with_items: - in - out when: config_ufw environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Allow SSH-Access to some servers ufw: rule: allow direction: '{{ item.direction }}' dest: '{{ item.destination }}' port: '22' with_items: - { direction: 'in', destination: '10.0.0.1/32' } - { direction: 'out', destination: '10.0.0.1/32' } - { direction: 'in', destination: '10.0.2.254/32' } - { direction: 'out', destination: '10.0.2.243/32' } - { direction: 'in', destination: '10.16.109.252/32' } - { direction: 'out', destination: '10.16.109.252/32' } - { direction: 'in', destination: '10.16.1.1/32' } - { direction: 'out', destination: '10.16.1.1/32' } - { direction: 'in', destination: '162.55.5.40/32' } - { direction: 'out', destination: '162.55.5.40/32' } when: config_ufw environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Allow https-Access to some servers ufw: rule: allow direction: '{{ item.direction }}' dest: '{{ item.destination }}' port: '443' with_items: - { direction: 'in', destination: '10.0.0.1/32' } - { direction: 'out', destination: '10.0.0.1/32' } - { direction: 'in', destination: '10.0.2.254/32' } - { direction: 'out', destination: '10.0.2.243/32' } - { direction: 'in', destination: '10.16.109.252/32' } - { direction: 'out', destination: '10.16.109.252/32' } - { direction: 'in', destination: '10.16.1.1/32' } - { direction: 'out', destination: '10.16.1.1/32' } - { direction: 'in', destination: '162.55.5.40/32' } - { direction: 'out', destination: '162.55.5.40/32' } when: config_ufw environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Allow apt-proxy-Access to some servers ufw: rule: allow direction: '{{ item.direction }}' dest: '{{ item.destination }}' port: '3142' with_items: - { direction: 'in', destination: '10.0.2.254/32' } - { direction: 'out', destination: '10.0.2.243/32' } - { direction: 'in', destination: '10.16.1.3/32' } - { direction: 'out', destination: '10.16.1.3/32' } environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Allow DNS-Access to some servers ufw: rule: allow direction: '{{ item.direction }}' dest: '{{ item.destination }}' port: '53' with_items: - { direction: 'in', destination: '10.0.0.1/32' } - { direction: 'out', destination: '10.0.0.1/32' } - { direction: 'in', destination: '10.16.1.1/32' } - { direction: 'out', destination: '10.16.1.1/32' } when: config_ufw environment: PATH: /sbin:{{ ansible_env.PATH }} - name: Allow dns ufw: rule={{ item.rule }} port={{ item.port }} with_items: - { rule: 'allow', port: '53'} when: config_ufw environment: PATH: /sbin:{{ ansible_env.PATH }} - name: disable mounting of usb flash drives file: path: /media owner: root mode: '700' - name: create user group pruefung group: name: "pruefung" state: present - name: create user student ansible.builtin.user: name: "pruefung" password: "{{ 'morz' | password_hash('sha512') }}" shell: /bin/bash comment: Prüfungsbenutzer group: pruefung - name: create .config dir for created user file: path: "/home/pruefung/.config/" state: directory mode: "700" owner: "pruefung" group: "pruefung" - name: Set timezone to Europe/Vienna timezone: name: Europe/Vienna - name: purge some prior installed packages apt: name: - task-kde-desktop - task-german-kde-desktop - task-german-desktop - xdg-desktop-portal-kde - xdg-desktop-portal-wlr - akonadi-backend-sqlite - thunderbird-l10n-de - webext-privacy-badger - webext-ublock-origin-firefox - webext-ublock-origin-chromium - vlc - gimp - inkscape - flameshot - bluefish - nmap - net-tools - ghex - thonny - spyder - mu-editor - dia - vym - tree - sqlite3 - kicad - kicad-doc-de - akonadi-backend-mysql - akonadi-contacts-data - akonadi-mime-data - akonadi-server - akregator - aspell - aspell-de - dolphin - firebird3.0-common - gimp-data - gwenview - hyphen-en-us - ingerman - ispell - kate - kcalc - kmail - knotes - korganizer - wamerican - dragonplayer - juk autoremove: yes state: absent - name: intall some prior installed packages apt: name: - curl state: latest - name: Enable ufw ufw: state=enabled - name: start ufw service service: name: ufw state: restarted