From 75d7aad012a941983a02d03d7ba29e3dca4462a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torma=20Krist=C3=B3f?= <tormakristof@tormakristof.eu>
Date: Sat, 16 Apr 2022 17:47:49 +0200
Subject: [PATCH] custom firewall solution

---
 gitea.yaml                                   |  2 +-
 host_vars/git.yaml                           |  7 +++-
 host_vars/neko.yaml                          | 17 +++++++++
 neko.yaml                                    |  1 +
 roles/backupscript/files/ssh_config          |  4 +++
 roles/backupscript/tasks/main.yaml           | 14 ++++++--
 roles/backupscript/templates/backupscript.sh |  4 +--
 roles/customfirewall/tasks/main.yaml         |  8 +++++
 roles/gitea/tasks/main.yaml                  |  6 ----
 roles/neko/tasks/main.yaml                   | 37 --------------------
 10 files changed, 50 insertions(+), 50 deletions(-)
 create mode 100644 host_vars/neko.yaml
 create mode 100644 roles/backupscript/files/ssh_config
 create mode 100644 roles/customfirewall/tasks/main.yaml
 delete mode 100644 roles/gitea/tasks/main.yaml

diff --git a/gitea.yaml b/gitea.yaml
index aeac613..f80bfc5 100644
--- a/gitea.yaml
+++ b/gitea.yaml
@@ -8,4 +8,4 @@
     - webserver
     - internalsmtp
     - backupscript
-    - gitea
+    - customfirewall
diff --git a/host_vars/git.yaml b/host_vars/git.yaml
index 9d99495..bffbbc0 100644
--- a/host_vars/git.yaml
+++ b/host_vars/git.yaml
@@ -2,4 +2,9 @@
 servicename: git
 backup:
   prearecommand: ""
-  folder: "/home/git"
+  folder: "/home/service-user"
+  tarfolder: "gitea docker-compose.yml"
+firewall:
+  - port: "2222"
+    proto: tcp
+    interface: "eth0"
diff --git a/host_vars/neko.yaml b/host_vars/neko.yaml
new file mode 100644
index 0000000..974320a
--- /dev/null
+++ b/host_vars/neko.yaml
@@ -0,0 +1,17 @@
+---
+firewall:
+  - port: "ssh"
+    proto: tcp
+    interface: "eth0"
+  - port: "http"
+    proto: tcp
+    interface: "eth1"
+  - port: "https"
+    proto: tcp
+    interface: "eth1"
+  - port: "ssh"
+    proto: tcp
+    interface: "eth1"
+  - port: "59000:59049"
+    proto: udp
+    interface: "eth1"
diff --git a/neko.yaml b/neko.yaml
index 8851316..7bc3087 100644
--- a/neko.yaml
+++ b/neko.yaml
@@ -5,4 +5,5 @@
     - common
     - docker
     - neko
+    - customfirewall
     - internalsmtp
diff --git a/roles/backupscript/files/ssh_config b/roles/backupscript/files/ssh_config
new file mode 100644
index 0000000..a3e4855
--- /dev/null
+++ b/roles/backupscript/files/ssh_config
@@ -0,0 +1,4 @@
+Host backup backup.stargate.internal
+        HostName backup.stargate.internal
+        User backup
+        IdentityFile ~/.ssh/id_rsa
diff --git a/roles/backupscript/tasks/main.yaml b/roles/backupscript/tasks/main.yaml
index f846c90..bbfd3d2 100644
--- a/roles/backupscript/tasks/main.yaml
+++ b/roles/backupscript/tasks/main.yaml
@@ -11,7 +11,7 @@
   copy:
     src: backup-script.service
     dest: /usr/lib/systemd/system/backup-script.service
-    mode: 644
+    mode: 0644
     owner: root
     group: root
 
@@ -19,7 +19,7 @@
   copy:
     src: backup.target
     dest: /usr/lib/systemd/system/backup.target
-    mode: 644
+    mode: 0644
     owner: root
     group: root
 
@@ -27,7 +27,7 @@
   copy:
     src: backup.timer
     dest: /usr/lib/systemd/system/backup.timer
-    mode: 644
+    mode: 0644
     owner: root
     group: root
 
@@ -49,3 +49,11 @@
   ansible.builtin.systemd:
     enabled: yes
     name: backup.timer
+
+- name: Copy ssh config
+  copy:
+    src: ssh_config
+    dest: /root/.ssh/config
+    mode: 0600
+    owner: root
+    group: root
diff --git a/roles/backupscript/templates/backupscript.sh b/roles/backupscript/templates/backupscript.sh
index 4562f36..636febe 100644
--- a/roles/backupscript/templates/backupscript.sh
+++ b/roles/backupscript/templates/backupscript.sh
@@ -3,6 +3,6 @@
 
 {{backup.prearecommand}}
 
-time ( rsync -azP --delete {{backup.folder}} backup@192.168.69.26:/mnt/backupstore/{{servicename}}/staging )
+time ( rsync -azP --delete {{backup.folder}} backup@backup.stargate.internal:/mnt/backupstore/{{servicename}}/staging )
 
-time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging' )
+time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging {{backup.tarfolder}}' )
diff --git a/roles/customfirewall/tasks/main.yaml b/roles/customfirewall/tasks/main.yaml
new file mode 100644
index 0000000..2894a95
--- /dev/null
+++ b/roles/customfirewall/tasks/main.yaml
@@ -0,0 +1,8 @@
+---
+- name: Apply custom ufw rules
+  community.general.ufw:
+    rule: allow
+    port: "{{item.port}}"
+    proto: {{item.proto}}
+    interface: {{item.interface}}
+  with_items: "{{firewall}}"
diff --git a/roles/gitea/tasks/main.yaml b/roles/gitea/tasks/main.yaml
deleted file mode 100644
index 1d88499..0000000
--- a/roles/gitea/tasks/main.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: Allow git ssh via ufw
-  community.general.ufw:
-    rule: allow
-    port: 2222
-    proto: tcp
diff --git a/roles/neko/tasks/main.yaml b/roles/neko/tasks/main.yaml
index d918cd0..171c546 100644
--- a/roles/neko/tasks/main.yaml
+++ b/roles/neko/tasks/main.yaml
@@ -26,40 +26,3 @@
 - name: Enable ufw
   community.general.ufw:
     state: enabled
-
-- name: Allow ssh via ufw from localnet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: ssh
-    from_ip: "192.168.69.0/24"
-    interface: eth0
-
-- name: Allow http via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: http
-    interface: eth1
-
-- name: Allow https via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: https
-    interface: eth1
-
-- name: Allow http via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: http
-    interface: eth1
-
-- name: Allow neko ports via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: 59000:59049
-    proto: udp
-    interface: eth1