custom firewall solution
This commit is contained in:
parent
49102eb285
commit
75d7aad012
@ -8,4 +8,4 @@
|
|||||||
- webserver
|
- webserver
|
||||||
- internalsmtp
|
- internalsmtp
|
||||||
- backupscript
|
- backupscript
|
||||||
- gitea
|
- customfirewall
|
||||||
|
|||||||
@ -2,4 +2,9 @@
|
|||||||
servicename: git
|
servicename: git
|
||||||
backup:
|
backup:
|
||||||
prearecommand: ""
|
prearecommand: ""
|
||||||
folder: "/home/git"
|
folder: "/home/service-user"
|
||||||
|
tarfolder: "gitea docker-compose.yml"
|
||||||
|
firewall:
|
||||||
|
- port: "2222"
|
||||||
|
proto: tcp
|
||||||
|
interface: "eth0"
|
||||||
|
|||||||
17
host_vars/neko.yaml
Normal file
17
host_vars/neko.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
firewall:
|
||||||
|
- port: "ssh"
|
||||||
|
proto: tcp
|
||||||
|
interface: "eth0"
|
||||||
|
- port: "http"
|
||||||
|
proto: tcp
|
||||||
|
interface: "eth1"
|
||||||
|
- port: "https"
|
||||||
|
proto: tcp
|
||||||
|
interface: "eth1"
|
||||||
|
- port: "ssh"
|
||||||
|
proto: tcp
|
||||||
|
interface: "eth1"
|
||||||
|
- port: "59000:59049"
|
||||||
|
proto: udp
|
||||||
|
interface: "eth1"
|
||||||
@ -5,4 +5,5 @@
|
|||||||
- common
|
- common
|
||||||
- docker
|
- docker
|
||||||
- neko
|
- neko
|
||||||
|
- customfirewall
|
||||||
- internalsmtp
|
- internalsmtp
|
||||||
|
|||||||
4
roles/backupscript/files/ssh_config
Normal file
4
roles/backupscript/files/ssh_config
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Host backup backup.stargate.internal
|
||||||
|
HostName backup.stargate.internal
|
||||||
|
User backup
|
||||||
|
IdentityFile ~/.ssh/id_rsa
|
||||||
@ -11,7 +11,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: backup-script.service
|
src: backup-script.service
|
||||||
dest: /usr/lib/systemd/system/backup-script.service
|
dest: /usr/lib/systemd/system/backup-script.service
|
||||||
mode: 644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
@ -19,7 +19,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: backup.target
|
src: backup.target
|
||||||
dest: /usr/lib/systemd/system/backup.target
|
dest: /usr/lib/systemd/system/backup.target
|
||||||
mode: 644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
@ -27,7 +27,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: backup.timer
|
src: backup.timer
|
||||||
dest: /usr/lib/systemd/system/backup.timer
|
dest: /usr/lib/systemd/system/backup.timer
|
||||||
mode: 644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
@ -49,3 +49,11 @@
|
|||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
enabled: yes
|
enabled: yes
|
||||||
name: backup.timer
|
name: backup.timer
|
||||||
|
|
||||||
|
- name: Copy ssh config
|
||||||
|
copy:
|
||||||
|
src: ssh_config
|
||||||
|
dest: /root/.ssh/config
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|||||||
@ -3,6 +3,6 @@
|
|||||||
|
|
||||||
{{backup.prearecommand}}
|
{{backup.prearecommand}}
|
||||||
|
|
||||||
time ( rsync -azP --delete {{backup.folder}} backup@192.168.69.26:/mnt/backupstore/{{servicename}}/staging )
|
time ( rsync -azP --delete {{backup.folder}} backup@backup.stargate.internal:/mnt/backupstore/{{servicename}}/staging )
|
||||||
|
|
||||||
time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging' )
|
time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging {{backup.tarfolder}}' )
|
||||||
|
|||||||
8
roles/customfirewall/tasks/main.yaml
Normal file
8
roles/customfirewall/tasks/main.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
- name: Apply custom ufw rules
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{item.port}}"
|
||||||
|
proto: {{item.proto}}
|
||||||
|
interface: {{item.interface}}
|
||||||
|
with_items: "{{firewall}}"
|
||||||
@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Allow git ssh via ufw
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: 2222
|
|
||||||
proto: tcp
|
|
||||||
@ -26,40 +26,3 @@
|
|||||||
- name: Enable ufw
|
- name: Enable ufw
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
|
|
||||||
- name: Allow ssh via ufw from localnet
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
direction: in
|
|
||||||
port: ssh
|
|
||||||
from_ip: "192.168.69.0/24"
|
|
||||||
interface: eth0
|
|
||||||
|
|
||||||
- name: Allow http via ufw from internet
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
direction: in
|
|
||||||
port: http
|
|
||||||
interface: eth1
|
|
||||||
|
|
||||||
- name: Allow https via ufw from internet
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
direction: in
|
|
||||||
port: https
|
|
||||||
interface: eth1
|
|
||||||
|
|
||||||
- name: Allow http via ufw from internet
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
direction: in
|
|
||||||
port: http
|
|
||||||
interface: eth1
|
|
||||||
|
|
||||||
- name: Allow neko ports via ufw from internet
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
direction: in
|
|
||||||
port: 59000:59049
|
|
||||||
proto: udp
|
|
||||||
interface: eth1
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user