stargate-cluster/vm-ansible
stargate-cluster/vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

custom firewall solution

Browse Source
This commit is contained in:
Torma Kristóf 2022-04-16 17:47:49 +02:00
parent 49102eb285
commit 75d7aad012
10 changed files with 50 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gitea.yaml
View File

@ -8,4 +8,4 @@
- webserver
- internalsmtp
- backupscript
- gitea
- customfirewall

7
host_vars/git.yaml
View File

@ -2,4 +2,9 @@
servicename: git
backup:
prearecommand: ""
folder: "/home/git"
folder: "/home/service-user"
tarfolder: "gitea docker-compose.yml"
firewall:
- port: "2222"
proto: tcp
interface: "eth0"

17
host_vars/neko.yaml Normal file
View File

@ -0,0 +1,17 @@
---
firewall:
- port: "ssh"
proto: tcp
interface: "eth0"
- port: "http"
proto: tcp
interface: "eth1"
- port: "https"
proto: tcp
interface: "eth1"
- port: "ssh"
proto: tcp
interface: "eth1"
- port: "59000:59049"
proto: udp
interface: "eth1"

1
neko.yaml
View File

@ -5,4 +5,5 @@
- common
- docker
- neko
- customfirewall
- internalsmtp

4
roles/backupscript/files/ssh_config Normal file
View File

@ -0,0 +1,4 @@
Host backup backup.stargate.internal
HostName backup.stargate.internal
User backup
IdentityFile ~/.ssh/id_rsa

14
roles/backupscript/tasks/main.yaml
View File

@ -11,7 +11,7 @@
copy:
src: backup-script.service
dest: /usr/lib/systemd/system/backup-script.service
mode: 644
mode: 0644
owner: root
group: root
@ -19,7 +19,7 @@
copy:
src: backup.target
dest: /usr/lib/systemd/system/backup.target
mode: 644
mode: 0644
owner: root
group: root
@ -27,7 +27,7 @@
copy:
src: backup.timer
dest: /usr/lib/systemd/system/backup.timer
mode: 644
mode: 0644
owner: root
group: root
@ -49,3 +49,11 @@
ansible.builtin.systemd:
enabled: yes
name: backup.timer
- name: Copy ssh config
copy:
src: ssh_config
dest: /root/.ssh/config
mode: 0600
owner: root
group: root

4
roles/backupscript/templates/backupscript.sh
View File

@ -3,6 +3,6 @@
{{backup.prearecommand}}
time ( rsync -azP --delete {{backup.folder}} backup@192.168.69.26:/mnt/backupstore/{{servicename}}/staging )
time ( rsync -azP --delete {{backup.folder}} backup@backup.stargate.internal:/mnt/backupstore/{{servicename}}/staging )
time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging' )
time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging {{backup.tarfolder}}' )

8
roles/customfirewall/tasks/main.yaml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Apply custom ufw rules
community.general.ufw:
rule: allow
port: "{{item.port}}"
proto: {{item.proto}}
interface: {{item.interface}}
with_items: "{{firewall}}"

6
roles/gitea/tasks/main.yaml
View File

@ -1,6 +0,0 @@
---
- name: Allow git ssh via ufw
community.general.ufw:
rule: allow
port: 2222
proto: tcp

37
roles/neko/tasks/main.yaml
View File

@ -26,40 +26,3 @@
- name: Enable ufw
community.general.ufw:
state: enabled
- name: Allow ssh via ufw from localnet
community.general.ufw:
rule: allow
direction: in
port: ssh
from_ip: "192.168.69.0/24"
interface: eth0
- name: Allow http via ufw from internet
community.general.ufw:
rule: allow
direction: in
port: http
interface: eth1
- name: Allow https via ufw from internet
community.general.ufw:
rule: allow
direction: in
port: https
interface: eth1
- name: Allow http via ufw from internet
community.general.ufw:
rule: allow
direction: in
port: http
interface: eth1
- name: Allow neko ports via ufw from internet
community.general.ufw:
rule: allow
direction: in
port: 59000:59049
proto: udp
interface: eth1