From 2677085a159f1d39167c9028ce5d13823ef9d5c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torma=20Krist=C3=B3f?= Date: Sat, 5 Feb 2022 20:00:55 +0100 Subject: [PATCH] change to ufw from firewalld --- requirements.yaml | 3 ++- roles/common/tasks/firewalld.yaml | 27 --------------------------- roles/common/tasks/main.yaml | 2 +- roles/common/tasks/ufw.yaml | 20 ++++++++++++++++++++ roles/mariadb/tasks/main.yaml | 6 ++++++ roles/postgresql/tasks/main.yaml | 6 ++++++ roles/smtpgateway/tasks/main.yaml | 5 +++++ roles/webgateway/tasks/main.yaml | 10 ++++++++++ roles/webserver/tasks/main.yaml | 5 +++++ 9 files changed, 55 insertions(+), 29 deletions(-) delete mode 100644 roles/common/tasks/firewalld.yaml create mode 100644 roles/common/tasks/ufw.yaml diff --git a/requirements.yaml b/requirements.yaml index a5b247c..6d6e45e 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -1,3 +1,4 @@ --- collections: -- ansible.posix \ No newline at end of file +- ansible.posix +- community.general \ No newline at end of file diff --git a/roles/common/tasks/firewalld.yaml b/roles/common/tasks/firewalld.yaml deleted file mode 100644 index fca96b0..0000000 --- a/roles/common/tasks/firewalld.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: "Install Docker via apt" - apt: - update_cache: yes - state: present - name: - - firewalld - -- name: Start and enable firewalld - service: - name: firewalld - state: restarted - enabled: yes - -- name: Permit traffic in public zone for https service - ansible.posix.firewalld: - zone: public - service: https - permanent: yes - state: enabled - -- name: Permit traffic in public zone for ssh service - ansible.posix.firewalld: - zone: public - service: ssh - permanent: yes - state: enabled diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 01e8fbb..1d53ea8 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -4,7 +4,7 @@ - include_tasks: clean-motd.yaml - include_tasks: remove-snap.yaml - include_tasks: disable-cloudinit.yaml -- include_tasks: firewalld.yaml +- include_tasks: ufw.yaml - include_tasks: service-user.yaml - include_tasks: ssh-security-settings.yaml - include_tasks: timesync.yaml \ No newline at end of file diff --git a/roles/common/tasks/ufw.yaml b/roles/common/tasks/ufw.yaml new file mode 100644 index 0000000..0010da0 --- /dev/null +++ b/roles/common/tasks/ufw.yaml @@ -0,0 +1,20 @@ +--- +- name: "Install ufw via apt" + apt: + update_cache: yes + state: present + name: + - ufw + +- name: Enable ufw + community.general.ufw: + state: enabled + +- name: Reset ufw rules to default + community.general.ufw: + state: reset + +- name: Allow ssh via ufw + community.general.ufw: + rule: allow + port: ssh diff --git a/roles/mariadb/tasks/main.yaml b/roles/mariadb/tasks/main.yaml index db7dedc..0688bcb 100644 --- a/roles/mariadb/tasks/main.yaml +++ b/roles/mariadb/tasks/main.yaml @@ -11,3 +11,9 @@ name: mariadb state: restarted enabled: yes + +- name: Allow mysql port via ufw + community.general.ufw: + rule: allow + port: 3306 + proto: tcp diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml index ae61118..aebd49d 100644 --- a/roles/postgresql/tasks/main.yaml +++ b/roles/postgresql/tasks/main.yaml @@ -11,3 +11,9 @@ name: postgresql state: restarted enabled: yes + +- name: Allow postgresql port via ufw + community.general.ufw: + rule: allow + port: 5432 + proto: tcp diff --git a/roles/smtpgateway/tasks/main.yaml b/roles/smtpgateway/tasks/main.yaml index 25ca2ca..e36a092 100644 --- a/roles/smtpgateway/tasks/main.yaml +++ b/roles/smtpgateway/tasks/main.yaml @@ -25,3 +25,8 @@ name: postfix state: restarted enabled: yes + +- name: Allow smtp port via ufw + community.general.ufw: + rule: allow + port: smtp \ No newline at end of file diff --git a/roles/webgateway/tasks/main.yaml b/roles/webgateway/tasks/main.yaml index 0e008ca..32ffd50 100644 --- a/roles/webgateway/tasks/main.yaml +++ b/roles/webgateway/tasks/main.yaml @@ -13,3 +13,13 @@ name: apache2 state: restarted enabled: yes + +- name: Allow http port via ufw + community.general.ufw: + rule: allow + port: http + +- name: Allow https port via ufw + community.general.ufw: + rule: allow + port: https diff --git a/roles/webserver/tasks/main.yaml b/roles/webserver/tasks/main.yaml index dbde28b..a13a75b 100644 --- a/roles/webserver/tasks/main.yaml +++ b/roles/webserver/tasks/main.yaml @@ -21,3 +21,8 @@ name: apache2 state: restarted enabled: yes + +- name: Allow https port via ufw + community.general.ufw: + rule: allow + port: https