[a] better firewall rule defining

This commit is contained in:
Sangelo 2024-10-16 21:16:11 +02:00
parent ce4756c178
commit b8500d3dee
3 changed files with 36 additions and 49 deletions

View file

@ -1,12 +1,17 @@
# Make a full system upgrade (using apt-get full-upgrade)
common_full_upgrade: false
common_allow_restart: false # allow restarting after update
# Install and configure UFW Firewall on the system
common_firewall_enable: true
common_firewall_reject: false # reject all connections by default
common_firewall_ssh: true # allow ssh connections
common_firewall_https: false # allow https connections
common_firewall_http: false # allow http connections
# Default Firewall Rules
common_firewall:
- port: 22
state: allow
interface: "{{ common_firewall_lan_interface if common_firewall_lan_interface }}"
comment: "Allow incoming connections on {{ common_firewall_lan_interface if common_firewall_lan_interface else 'all interfaces' }}"
# Configure SSH to only accept SSH Keys
common_ssh_configure: true

View file

@ -1,3 +1,8 @@
---
- name: reboot system
ansible.builtin.reboot:
when: common_allow_restart
- name: restart ssh
ansible.builtin.service:
name: sshd

View file

@ -6,18 +6,18 @@
update_cache: true
upgrade: full
when: common_full_upgrade
notify: reboot system
- name: Install UFW Firewall
ansible.builtin.apt:
name: ufw
# update_cache: true
state: present
when: common_firewall_enable
- name: Enable UFW
community.general.ufw:
state: enabled
logging: 'on'
logging: "on"
when: common_firewall_enable
- name: Disable UFW Firewall
@ -26,35 +26,27 @@
state: absent
when: not common_firewall_enable
- name: Reject incoming connections by default
- name: Reject incoming connections on WAN interface by default
community.general.ufw:
policy: reject
comment: 'Reject all by default'
when: common_firewall_reject and common_firewall_enable
default: reject
direction: incoming
interface: "{{ common_firewall_wan_interface }}"
when:
- common_firewall_reject
- common_firewall_enable
- common_firewall_wan_interface
- name: Allow SSH Connections
- name: Configure firewall rules
community.general.ufw:
rule: limit
port: ssh
proto: tcp
comment: 'Allow SSH'
when: common_firewall_ssh and common_firewall_enable
- name: Allow HTTPS Connections
community.general.ufw:
rule: allow
port: https
proto: tcp
comment: 'Allow HTTPS'
when: common_firewall_https and common_firewall_enable
- name: Allow HTTP Connections
community.general.ufw:
rule: allow
port: http
proto: tcp
comment: 'Allow HTTP'
when: common_firewall_http and common_firewall_enable
port: "{{ rule.port }}"
rule: "{{ rule.state | default('allow') }}"
proto: "{{ rule.protocol | default('tcp') }}"
interface: "{{ rule.interface if rule.interface != 'all' else omit }}"
comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"
loop: "{{ common_firewall | default([]) }}"
loop_control:
loop_var: rule
when: common_firewall_enable
- name: Install sudo
ansible.builtin.apt:
@ -69,7 +61,7 @@
line: "{{ ssh_config_entry.line }}"
state: present
loop:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
loop_control:
loop_var: ssh_config_entry
notify: restart ssh
@ -88,18 +80,3 @@
ansible.builtin.user:
name: root
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
# - name: Configure SSH to disallow root login
# ansible.builtin.lineinfile:
# path: /etc/ssh/sshd_config
# regexp: '^PermitRootLogin'
# line: 'PermitRootLogin no'
# state: present
# notify: restart ssh
# when: common_ssh_configure
# - name: Disable root shell
# ansible.builtin.user:
# name: root
# shell: /usr/sbin/nologin
# when: common_disable_root