From 444674e8f776854508da10ad3e6e9b056a25f194 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 4 Sep 2019 04:04:57 +0200 Subject: [PATCH] Move firewall script to roles. Adjust hosts. .. --- firewall.yml | 6 + group_vars/all/main.yml | 12 +- host_vars/nscache.oopen.de.yml | 21 + host_vars/site36.net | 164 -- host_vars/site36.net.yml | 68 - host_vars/test.mx.oopen.de.yml | 59 + hosts | 62 +- open_the_vault.sh | 2 +- .../templates/etc/bind/named.conf.options.j2 | 7 + roles/firewall/defaults/main.yml | 40 + roles/firewall/handlers/main.yml | 20 + roles/firewall/tasks/main.yml | 1733 +++++++++++++++++ .../systemd/system/ip6t-firewall.service.j2 | 16 + .../systemd/system/ipt-firewall.service.j2 | 16 + scripts/install-update-firewall.yml | 1031 ---------- scripts/modify-postfix-main-dot-cf.yml | 66 + 16 files changed, 2012 insertions(+), 1311 deletions(-) create mode 100644 firewall.yml delete mode 100644 host_vars/site36.net delete mode 100644 host_vars/site36.net.yml create mode 100644 host_vars/test.mx.oopen.de.yml create mode 100644 roles/firewall/defaults/main.yml create mode 100644 roles/firewall/handlers/main.yml create mode 100644 roles/firewall/tasks/main.yml create mode 100644 roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 create mode 100644 roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 delete mode 100644 scripts/install-update-firewall.yml create mode 100644 scripts/modify-postfix-main-dot-cf.yml diff --git a/firewall.yml b/firewall.yml new file mode 100644 index 0000000..831aa20 --- /dev/null +++ b/firewall.yml @@ -0,0 +1,6 @@ +--- + + +- hosts: all + roles: + - firewall diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index f651afc..9df4450 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -11,7 +11,6 @@ apt_ansible_dependencies: - python3-apt - lsb-release - apt-transport-https - - apt-transport-tor - dbus - sudo - vim @@ -125,7 +124,6 @@ apt_upgrade_dpkg_options: apt_initial_install_stretch: - apt-transport-https - - apt-transport-tor - dbus - openssh-server - rssh @@ -237,7 +235,6 @@ apt_initial_install_stretch: apt_initial_install_buster: - apt-transport-https - - apt-transport-tor - dbus - openssh-server - rush @@ -475,6 +472,10 @@ apt_install_state: latest apt_remove: - rpcbind + - apt-transport-tor + - tor + - tor-geoipdb + - torsocks apt_remove_purge: false @@ -718,7 +719,10 @@ git_apache2_repositories: # --- # group [nginx_webserver] # --- -git_nginx_repositories: [] +git_nginx_repositories: + - name: nginx + repo: https://git.oopen.de/install/nginx + dest: /usr/local/src/nginx # --- diff --git a/host_vars/nscache.oopen.de.yml b/host_vars/nscache.oopen.de.yml index d5df8fd..763bbc1 100644 --- a/host_vars/nscache.oopen.de.yml +++ b/host_vars/nscache.oopen.de.yml @@ -1,5 +1,21 @@ --- + +# --- +# used at role 'firewall' +# --- + +is_local_resolver: true +resolver_allowed_ipv4_networks: + - 192.68.11.64/27 + - 194.150.169.136/29 + - 138.201.23.195 + - 138.201.23.196 +resolver_allowed_ipv6_networks: + - 2001:678:a40:3000::/64 + - 2a01:4f8:171:2895::195 + - 2a01:4f8:171:2895::196 + # --- # vars used by roles/ansible_dependencies # --- @@ -67,6 +83,11 @@ acl_caching_nameserver: - /* Backup wipe.so36.net / backup.so36.net */ - 194.150.169.139; - 194.150.169.138; + - // site36.net + - 138.201.23.195; + - 138.201.23.196; + - 2a01:4f8:171:2895::195; + - 2a01:4f8:171:2895::196; - sinma: name: sinma entries: diff --git a/host_vars/site36.net b/host_vars/site36.net deleted file mode 100644 index 897701d..0000000 --- a/host_vars/site36.net +++ /dev/null @@ -1,164 +0,0 @@ ---- - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/users.yml -# --- -ssh_keypair_backup_server: - - name: backup - backup_user: back - priv_key_src: root/.ssh/id_rsa.backup.so36.net - priv_key_dest: /root/.ssh/id_rsa - pub_key_src: root/.ssh/id_rsa.backup.so36.net.pub - pub_key_dest: /root/.ssh/id_rsa.pub - -insert_root_ssh_keypair: true - -root_ssh_keypair: - - name: backup - login: root - priv_key_src: root/.ssh/id_ed25519.oopen-server - priv_key_dest: /root/.ssh/id_ed25519 - pub_key_src: root/.ssh/id_ed25519.oopen-server.pub - pub_key_dest: /root/.ssh/id_ed25519.pub - target: backup.so36.net - - -default_user: - - - name: ckubu - password: $6$eLO.YJBg$YryN2tvRhI9HK3vffWcid7KH2uyh0e67KhbPp9FxW/bdUAepk/9GB5re7n/DXWhpthf3ifPCznPHU24X2YQVV/ - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' - - - name: defa - password: $6$LMelojO.$TY0vb.xSBparEY5O7p86YT.E4RXKVH0bDfwGsszuFS6EAl3oh.s6V.jIZYg56P1RTDiVUh4A0BOwk87Q/utaS1 - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAmPpPUHYmhTlN97lPAIdDjmkvM4xbCrWHiAjJJ7RdM8lW6hLbBaiMgbUwULOB86FB49V2YSoaVX09UkxJOCf15TYbq79P7W2x2UtFzYxVEVgpr/HVhJjytEDzmFYbsNN3VDK/2JEFqYqtLpTXOqf/TFihmqbvfbkUQOK/NMbE8udxj/RHnwRDMaJJ0IP7L6Z/v5s654H75nv7/IRm8Ov5DmcJyz9BcEL7fpow2HYexUzUozWN9zMXabrQ5AtEeJ0FYuBFIkYPLaUQ+WJ5bLCmoeE81+SIl+fw0UG5Zeb6SMo+NFFaMBIvwyEsNVyz9Gf2SUq/9weTr0JxVdCGKmEZLj9imcr2WtQxcXRhjTzAyq4m8F/2uA9GkisFUM2VybfZxNtkTZdIEHYE1X/36PYNI7P8Cp98cM7EKNLaPniDuQRh7IBixVt9oxxwxVFjZrG21ySanvg6GnpHHAkhM2nlwA0zcDMYd2h5rJt9JB8s8UQplTJzmo+lAbGBc47pZr4J0BKywjTsfQtQed1kClm/oEjO19mvRIC5DBznBtWJ4jWeTsjs91tEARE7LforRCy2VkA2rNxPsWz6Iks/towoySuWz8oUmA0FdfE5ULUavuv4uFZQXurIX0AvyWp3dg8dG2srnoZqqagr3VdZT7jV5nlNICeaEFbb5iShaxDBoBk= defa@walther' - - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLT3rq/wQpGV0Rn57qnD6PswMYmamUS8gqv2DqlwOrNxfrfO8X/H139KQNHE4blMPaGQ+9OzugkZzzp9SC/Tud7bdt9HI50WOe4xYqd8uiGywWznsTTvcHQeT5UqGiwzRwy5ozdzlTJIcbJt7NhwUwtVUGCFuW20jjWpyHBNMJPHkL6by+4APGF6jWO+crSvAqodvi544Uw9BCSzInSkxUbrgt97ta6QYgcdHrOGUv7Pe9qITFUPeuMmFDkq1wYIcXyfa6lUXvj+QxHVsnMee50HJhlHlUAc2PmyvZX5xl0H7hM9AwWbSSfstRn4nL7pmkcfSGv5Y2RQly8AT5UAgT defa@split' - - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDakC8eT7Uv2TS0lPDoBpuowHbCCP/4xM9DnRljVrI9l9Kdta5avRovpa8qHxnapY8+CWqx28+TcqmRw/y342Vf2BErXuoDeR5JtpZhiOZs27Km+FwG3Xwp4jcx2yYSksMuHzq7d2yL8pW9bL0/l6StJL/4DXaFg0Ym2ZSv/0CZG4HLSc4AC2UhMqwqgf7YFissm0Qc2iJru6S1RBTNL1hIVxe1KQz85VwU+VUtimacHQQDZ2VgSMHXSTRM2+naJMhLd4TrU0SGyQWYCcqch6lksNiFqVnDSa8P55rOG2eolY3cHraRI+x5s/wXLLoSWzt4aEm3GZPEkogAmX5CaECE4bV1gNk+4kVlW2ZEPeFGF1yUJgd+cqTzPT2JqusVfjLhDMsjmHpfBz/E3TuPBy18hYeRAa3zUPWRDlntPzHrcRb0E3EgLlojcA8w0g+3KBDL5psa7t16MtrEC/pQJ/VM1C/ZBRfsFGDRzyY+AnIkEif6BwHtyOhXaETKmlt+tC8oueWMtdbM85mFFEyWYLPccp0NlRdgtPh5AylotSdaRhfmZqKHtqcrieuwKLBGpZB/WQ0l7HRn4lVg1TzePUaSYCSPiCcflts9VMJJBhp/KbqWJoEwWQiRNkkhKUOC48crzI3s9QNNyqy/aLTPFjn0OsHa0SW9MQOaSTFsKwryfQ== defa@work' - - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxdRSyPmX5CyzgxyV4nrF2Q7Zu0lQikgNQSTt2o8jrakSlngCNT1u9vFnbT2tynBuCEd9fE05AKqwg7m9+X3FeBzq/PF0CiS1GdanyJkNoW3RIWSeO0Amt+yxCNTmr3hSPCR5hwyWT+gAYjLYyOfbMUi66NVFiXRuSvuZ1+z5iGgdRIGlxVI74V/6tO7CLwMEEUxs8tXu6y96u8bvQowTEBixfEhzOlS/NbkZElsBcJ0+eZJ/GzN4RuFxYjd2pmz5UL4gHFcXVMSs/Wq13XWtdlzawM5K9wfFZJ83UYGxHfW0OjvqSZ8IlZSVQeEEy9UKsMwrN16qznI5Od4XmbIMd' - - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAD95P6omJldgvTdsdibJDAqq0gVAyiKL6zdZEUIxDu1r+pFZHmAB554C+9I2XN9DFm3c/V2Aix7ni2DRT6IWV8GgLAFxCgf2uaL7fghRNwfYMLTLuJXRzcEpO8Ph9Nz45YO/7n1GN2MNm8swxlMrl2ewkrvD6TTc3t4em8n3NxO5iqbKM/U8GUmyiRYGeC2KRy8HA3PNGeGvv0uGIS3KurIMdPRVFyKUt0xkMwvHeP1AIC8DIAPvD6CJf9tB8OmFxnibvrXXZCfzbgi59aJ6TRpM8qzq6gG3EtqR4x6X9gZ0h4lpsOxiUOetzemej0CY3K19tZsTjGR879h0+s8/b root@rambox.spreebytes.net' - - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCog1AKXq/JlrFFAIE43jkGhHBZXayU8kc/xxQau7UPnOJNtt/NTt0zrdb0HA4Y4OYyZY/PZ424ufFio6yTeGnQEKRbYLh/Ot8KxemywODuimtHxTFo6wWjdNIbwTwr/erDy7THiUptYKJdyMnbUNkhB41Ea0mCsoJvw6f49P1uO0+4nLmmKLxo6qfKyreDKcydh2dIOcetc7x3zV+1WsCSWwQdtPfW2O9MJki/33sQzXyra+FrtCafXN+Zzwo6oqgymx1m3ErkNCWpOzUq4MDTORFKUq7girlVmWjL7KYBfFVWn9FZy0SYXulQLxd0nO0xhQslyQE+2KI5uECRKRoyw53v0h5P2lX2XWIQb3cypRJNlychgaqQJH4mp2XLOgQb3t84KcOKMw7jgU0NUby26MQ84m+P0bQZu4NWuBd8arjR7dPNjTEF+mWSy7YrlIUoF6jdqqZ/+N+fX+3S5abzOPfLCJSLXrd9xvA1q38tU3xdoTaRuKRmdXCmjadN/xh6nq4tZ4YoILDevGJaaMj2Mw9xA2YE8r1xI5MmhZ/lds4l4qii+0eA3A45pic674hiTUhgATuMKAtFrNTeIU7vEcmF17bL5J0s98CkR2dS9czrqeEEQZKy5kcr0gdMGd+dOy1pd3x+P8Xtwg/WgW6yVcmGWvj9XIejL3CcUHJeDQ== defa@devnull' - - - name: init - password: $6$NcRlPYtm$1YiBoiJUcEwB1ovXYLpQ.OM/ehceh46/G2K4jz0I/PK7tJzD/HDoKhaKVYEIe.uWld6zC63GrgEhq.UMJzFuS1 - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcOAGa9XHPVGx7k5YWptABoMs2f1+OeqRr6UFXveCWtjdDuk+YUAWl1W8TlDaFmw0+kLGk4Sg5TEcDzlVL+9L1Du044mwieeGQx5WRnz2vtg9XP/AP19jmpn1gTUPt5HGvFWVCeCDkMnc2aEz+fbW1MGN3ZxRNXhoNZfSS/jC7B0RANu1o3nPDQ3fGxFee02bAWi76To+0dJJppH02qSmlkOSUExOI+9i5WSog5KuCim25isLTIwv/GJNWAASL2/OUMuH82mX1EIS6qRdvcRufWH8qxTAkSeNrLUjiJOtCcE9dchS566KDs8p0U02PBN/92VB9aS/ErQ23l7llVr4jr776qBlUQn4vMxv1MG9ETM+/tUErYNDYazx+FV4NT90sxvepc+8I/q0AZjD2HNp6P25LgPNIhegNznnF/Twy9wW4Jn50FB4GMf8tHCeD9clXOMA1gSGGQiyeyly+wzZ5eLduwWAtzzYJ7MpOfncPYq2kKqs/29p77/0fvdbH2zzJQDbR2A0kHK1z3K6A7I8c+dBdcf2Kb5pvmglHjjSS06rD3oJtl3EvTfBe7AFhCou+zaaIf9fjMyM5upOu/ik23gRcDD32pX6Y0ltixfIWm6PV+Rgl88q6mOeLMwnItKtXID/O2908JE4dyLao2JeauzhXBJjMY2yzbcPLSlz2xw== so_init_03' - - - name: alex - password: $6$.3m20/Um$nTsNhF5jwIF.FMW4gTqRt0o3S8B81q6UuRnMYQ9om77DwOTsPgm5RgCkX90PbPShPe3BYVBQvJp7e53qPedie. - shell: /usr/bin/zsh - ssh_keys: - - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMyXy0+TVREnROtJOzuFFrFW18UXaRyWWLm4Z1vCOXU home' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb9VsHdwzIW8MpEtOKzWPJW+toe1UL1odj4k0mtYPac work' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJywUxxa2hNC8DNGmiyyLDaY0BP8muqqR1upMS8vBx6O laptop' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKDhjGkGJNO9pmc3CDp0fi4TXmkXP1hm6wzAdqiMphE netbook' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINk3tyHir3go59oZnp98WhauGJNwf6KTRYcBvfFMs8fY mobile' - - - - name: alis - password: $6$w9SVHwkQ$PrVrCuugHTObqdBMJNdHV4xkgUf.FPwD4a1HA6mFbPwZPApdcnTSTNWwFJgGu5p5/5lL0Tw4TFDPVaN2Y6O44/ - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEXvi4aBvd8777iALbpxMvzXdX+LnFYEOzHPuBEMjFt7+LArqqpfqU4rSCtfMD3QExAYbstIj0K/eyQ3S+Oe+Ry4Fr3hkZOtkpZF+MW1yvO2m1QuEzj+/2C9SU+yhGLo4cyIZN59wJOodWmLNy4u/vIQw305AHVwBdyE0zdq/5WRngk5nJmyjZHw7/rX5DPRgxOWk1zjruXt6mWoImRPk0Cy4jpouIl6DQ9gawryryX9+9E6aSI6Ona7ngUxKGcwe3ec3CM66c83J7xfC17EiZccjrJ+u9UPIlsXNs/ka3W/625wHTHCIaj2uOL2JZOj/TboZETPti5LO1fA5iLww+Iu1eGVPncdxojSgAcv4fcDKIG+IrEf8RyP7z7kABQH0jB+4jrnpptkOulrxccAYBxKp9AA0fp0dRo1IdSZ8IEnXluJ5pg2N73SFi/1MyC67urWC/qqhK5C32WjezDoXUx/n9DE9gKsFID6vEHmIZsuD1ohsIbksLkLq0Guh8goLfFxATJEdj1CpL+FtpaCcMLFSYYgSZwVsoCeEXz8h4nlYy8w7+kcweJIEJstjLHziZ0oIwmmRxqGLIeLrfQRF7miFUJzgIVmj+wIHrhk11ZdceP9RNT/TpnYFQvICRFJp7tYS4+uYS4rdNgJ0o9VtyHEoFrCKtB7mHvl1/MFGoYw== alis@mail36.net' - - - name: sysadm - - user_id: 1050 - group_id: 1050 - group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - -sudo_users: - - chris - - sysadm - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- -# -# see: roles/common/tasks/vars - - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. - diff --git a/host_vars/site36.net.yml b/host_vars/site36.net.yml deleted file mode 100644 index 66a3b80..0000000 --- a/host_vars/site36.net.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - -sshd_ports: - - 22 - - 1036 - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - diff --git a/host_vars/test.mx.oopen.de.yml b/host_vars/test.mx.oopen.de.yml new file mode 100644 index 0000000..7b56a60 --- /dev/null +++ b/host_vars/test.mx.oopen.de.yml @@ -0,0 +1,59 @@ +--- + +# --- +# vars used by role 'firewall' +# --- + +is_web_server: true + +is_mail_server: true +dovecot_auth_service_port: 44444 +has_dovecot_auth_service_ipv4: false +has_dovecot_auth_service_ipv6: false +dovecot_auth_allowed_network_ipv4: + - 192.68.11.79 +dovecot_auth_allowed_network_ipv6: + - 2001:678:a40:3000::/64 + - 2a01:30:0:13:2f7:50ff:fed2:cef7 + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +insert_sudoers_back_postgres_privileges: True + +insert_sudoers_postfixadmin_privileges: True + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/hosts b/hosts index 39c5588..76a1977 100644 --- a/hosts +++ b/hosts @@ -12,26 +12,7 @@ a.ns.oopen.de [extra_hosts] -o25.oopen.de -test.mx.oopen.de -ga-st-lxc1.ga.netz -gw-ah.kanzlei-kiel.netz -gw-akb.akb.netz -gw-ro.ro.netz -gw-irights.irights.netz -gw-opp.opp.netz -gw-mbr.oopen.de -ga-st-gw.oopen.de -ga-nh-gw.oopen.de -ga-al-gw.oopen.de -ga-st-gw-ersatz.ga.netz -gw-ak.oopen.de -reachout.homelinux.org -gw-spr.oopen.de -gw-km.oopen.de -server27.warenform.de -verdi-django.warenform.de -verdi-es.warenform.de +lobbycal.oopen.de @@ -101,6 +82,7 @@ limesurvey.oopen.de o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +lobbycal.oopen.de o13.oopen.de o13-board.oopen.de @@ -213,6 +195,7 @@ limesurvey.oopen.de # o12.oopen.de initiativenserver.oopen.de c.mx.oopen.de +lobbycal.oopen.de # o13.oopen.de o13-mail.oopen.de @@ -349,6 +332,9 @@ devel-todo.wf.netz # o10.oopen.de etherpad.oopen.de +# o12.oopen.de +lobbycal.oopen.de + # o13.oopen.de o13-board.oopen.de o13-pad.oopen.de @@ -505,6 +491,7 @@ limesurvey.oopen.de # o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +lobbycal.oopen.de # o13.oopen.de o13-board.oopen.de @@ -704,6 +691,16 @@ anita.wf.netz #test.mx.oopen.de +[local_resolver] +nscache.oopen.de + + +[ntp_server] + + +[xmpp_server] + + [lxc_host] # --- @@ -766,6 +763,7 @@ limesurvey.oopen.de # - o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +lobbycal.oopen.de # - o13.oopen.de o13-board.oopen.de @@ -903,6 +901,7 @@ limesurvey.oopen.de o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +lobbycal.oopen.de # - o13.oopen.de o13.oopen.de @@ -1053,29 +1052,6 @@ devel-repos.wf.netz devel-todo.wf.netz devel-wiki.wf.netz -#[so36_server] -#devnull.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#codecoop.org ansible_ssh_port=22 ansible_user=ckubu -#comm.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#noc.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#ns.so36net.de ansible_ssh_port=1036 ansible_user=ckubu -#rage.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#resolver-a.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#resolver-b.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#schleuder3.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#shell.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#sympa.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#usr-db.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#web.so36.net ansible_ssh_port=1036 ansible_user=ckubu -# -#suck.so36.net ansible_ssh_port=1036 ansible_user=ckubu -# -#wipe.so36.net ansible_ssh_port=1036 ansible_user=ckubu -#backup.so36.net ansible_ssh_port=1036 ansible_user=ckubu -# -#o18.oopen.de ansible_ssh_port=1036 ansible_user=chris -#site36.net ansible_ssh_port=1036 ansible_user=ckubu - [oopen_office_ga] # - GA - Gemeinschaft Altensclirf diff --git a/open_the_vault.sh b/open_the_vault.sh index 6e3153a..54a1495 100755 --- a/open_the_vault.sh +++ b/open_the_vault.sh @@ -2,7 +2,7 @@ echoerr() { echo "$@" 1>&2; } -PWFILE="$HOME/.private/ansible-oopen-vault-passphrase" +PWFILE="$HOME/.private/ansible/ansible-oopen-vault-passphrase" if test ! -f "$PWFILE" then diff --git a/roles/common/templates/etc/bind/named.conf.options.j2 b/roles/common/templates/etc/bind/named.conf.options.j2 index e37c390..e037ac4 100644 --- a/roles/common/templates/etc/bind/named.conf.options.j2 +++ b/roles/common/templates/etc/bind/named.conf.options.j2 @@ -33,6 +33,13 @@ options { //======================================================================== dnssec-validation auto; + // version statement - inhibited for security + // (avoids hacking any known weaknesses) + version "not currently available"; + + // disables all zone transfer requests + allow-transfer{"none";}; + // caching name services recursion yes; diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml new file mode 100644 index 0000000..185c0f3 --- /dev/null +++ b/roles/firewall/defaults/main.yml @@ -0,0 +1,40 @@ +--- + +is_dns_server: false + +is_local_resolver: false +resolver_allowed_ipv4_networks: "" +resolver_allowed_ipv6_networks: "" + +is_ntp_server: false +ntp_allowed_ipv4_net: "" +ntp_allowed_ipv6_net: "" + +is_web_server: false + +is_mail_server: false +dovecot_auth_service_port: "" +has_dovecot_auth_service_ipv4: false +has_dovecot_auth_service_ipv6: false +dovecot_auth_allowed_network_ipv4: {} +dovecot_auth_allowed_network_ipv6: {} + +is_list_server: false + +is_ftp_server: false + +is_xmpp_server: false +xmpp_has_dovecot_auth: false +xmpp_dovecot_auth_service_ipv4: "" +xmpp_dovecot_auth_service_ipv6: "" + +is_mumble_server: false + +sshd_ports: + - 1036 + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml new file mode 100644 index 0000000..1dbd644 --- /dev/null +++ b/roles/firewall/handlers/main.yml @@ -0,0 +1,20 @@ +- name: Restart ulogd + service: + name: ulogd + state: restarted + +- name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + when: + - interfaces_ipv4_exists.stat.exists + - main_ipv4_exists.stat.exists + +- name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted + when: + - interfaces_ipv6_exists.stat.exists + - main_ipv6_exists.stat.exists diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..dbfc422 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,1733 @@ +--- +# # --- +# # - Check if firewall repository exist +# # --- +# +# - name: Check if firewall repository exist +# stat: +# path: '{{ git_firewall_repository.dest }}' +# register: git_firewall_repository_exists +# +# - meta: end_host +# when: not git_firewall_repository_exists.stat.exists + +# --- +# Create firewall config directory '/etc/ipt/firewall' if not exists +# --- + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + tags: + - git-firewall-repository + +# Exit if no firewall repository variable exists or is empty +# +- meta: end_host + when: git_firewall_repository is not defined or git_firewall_repository|length < 1 + +- name: Create directory /etc/ipt-firewall if not exists + file: + path: /etc/ipt-firewall + state: directory + +# --- +# Check presence of files +# --- + +- name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + +- name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + +- name: Check if /etc/ipt-firewall/ban_ipv4.list are present + stat: + path: /etc/ipt-firewall/ban_ipv4.list + register: ban_ipv4_exists + +- name: Check if /etc/ipt-firewall/ban_ipv6.list are present + stat: + path: /etc/ipt-firewall/ban_ipv6.list + register: ban_ipv6_exists + +# --- +# Get information about network devices +# --- + +- name: define traditional ethernet facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: define traditional bridge facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: Debug message IPv4 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address: {{ item.ipv4.address }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Debug message IPv6 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +#- meta: end_host + +# --- +# Get sshd ports +# --- + +- name: Get sshd ports as blank separated list + set_fact: + fw_sshd_ports: "{{ sshd_ports | join (' ') }}" + when: + - sshd_ports is defined and sshd_ports | length > 0 + - sshd_ports|join() != "22" + +- name: Set default sshd ports + set_fact: + fw_sshd_ports: "$standard_ssh_port" + when: + - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" + +# === +# Modify main_ipv[4|].conf - add port definitionios +# === + +# --- +# Allow local Services from given (extern) network +# --- + +- name: Check if String 'allow_local_service_from_networks=..' is present + shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv4.conf + register: allow_local_service_from_networks_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_local_service_from_networks_ipv4_present.rc > 1" + changed_when: "allow_local_service_from_networks_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_local_service_from_networks) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*allow_local_service' + block: | + + # ------------- + # ---- Allow local Services from given (extern) network + # ------------- + + # - allow_local_service_from_networks + # - + # - allow_local_service_from_networks=" [: [.." + # - + # - Allow all traffic to given local service from given (extern) network + # - + # - Example: + # - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" + # - + # - Blank separated list + # - + allow_local_service_from_networks="" + marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" + when: + - main_ipv4_exists.stat.exists + - allow_local_service_from_networks_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'allow_local_service_from_networks=..' is present + shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv6.conf + register: allow_local_service_from_networks_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_local_service_from_networks_ipv6_present.rc > 1" + changed_when: "allow_local_service_from_networks_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_local_service_from_networks) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*allow_local_service' + block: | + + # ------------- + # ---- Allow local Services from given (extern) network + # ------------- + + # - allow_local_service_from_networks + # - + # - allow_local_service_from_networks=" [, [.." + # - + # - Allow all traffic to given local service from given (extern) network + # - + # - Example: + # - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" + # - + # - Blank separated list + # - + allow_local_service_from_networks="" + marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" + when: + - main_ipv6_exists.stat.exists + - allow_local_service_from_networks_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# --- +# vpn_ports +# --- + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: vpn_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "vpn_ports_ipv4_present.rc > 1" + changed_when: "vpn_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv4_exists.stat.exists + - vpn_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: vpn_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "vpn_ports_ipv6_present.rc > 1" + changed_when: "vpn_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv6_exists.stat.exists + - vpn_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# support local NTP Service +# --- + +- name: Check if String 'local_ntp_service..' is present + shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv4.conf + register: local_ntp_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_ntp_service_ipv4_present.rc > 1" + changed_when: "local_ntp_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_ntp_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_ports' + block: | + # local NTP Server + # + local_ntp_service=false + + # NPT Port used by local service + # + ntp_port="$standard_ntp_port" + + # Network allowed for NTP requests + # + # Note: if not set no port will be open! + # + ntp_allowed_net="" + marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" + when: + - main_ipv4_exists.stat.exists + - local_ntp_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'local_ntp_service..' is present + shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv6.conf + register: local_ntp_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_ntp_service_ipv6_present.rc > 1" + changed_when: "local_ntp_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_ntp_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_ports' + block: | + # local NTP Server + # + local_ntp_service=false + + # NPT Port used by local service + # + ntp_port="$standard_ntp_port" + + # Network allowed for NTP requests + # + # Note: if not set no port will be open! + # + ntp_allowed_net="" + marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" + when: + - main_ipv6_exists.stat.exists + - local_ntp_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# support local DNS Resolver +# --- + +- name: Check if String 'local_resolver_service..' is present + shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv4.conf + register: local_resolver_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_resolver_service_ipv4_present.rc > 1" + changed_when: "local_resolver_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_resolver_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_dns_server_ips' + block: | + # - local DNS Resolver + # - + local_resolver_service=false + + # - Resolover Port used by local service + # - + resolver_port="$standard_dns_port" + + # - Network allowed for DNS requests + # - + # - Note: if not set no port will be open! + # - + # - Example: + # - resolver_allowed_networks="192.68.11.64/27 194.150.169.139" + # - + resolver_allowed_networks="" + + marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" + when: + - main_ipv4_exists.stat.exists + - local_resolver_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'local_resolver_service..' is present + shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv6.conf + register: local_resolver_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_resolver_service_ipv6_present.rc > 1" + changed_when: "local_resolver_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_resolver_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_dns_server_ips' + block: | + # - local DNS Resolver + # - + local_resolver_service=false + + # - Resolover Port used by local service + # - + resolver_port="$standard_dns_port" + + # - Network allowed for DNS requests + # - + # - Note: if not set no port will be open! + # - + # - Example: + # - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64" + # - + resolver_allowed_networks="" + + marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" + when: + - main_ipv6_exists.stat.exists + - local_resolver_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# ssh_ports +# --- + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ssh_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ssh_ports_ipv4_present.rc > 1" + changed_when: "ssh_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv4_exists.stat.exists + - ssh_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ssh_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ssh_ports_ipv6_present.rc > 1" + changed_when: "ssh_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv6_exists.stat.exists + - ssh_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# http_ports +# --- + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf + register: http_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv4_present.rc > 1" + changed_when: "http_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv4_exists.stat.exists + - http_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf + register: http_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv6_present.rc > 1" + changed_when: "http_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv6_exists.stat.exists + - http_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# mail_user_ports +# --- + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mail_user_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv4_present.rc > 1" + changed_when: "mail_user_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv4_exists.stat.exists + - mail_user_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mail_user_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv6_present.rc > 1" + changed_when: "mail_user_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv6_exists.stat.exists + - mail_user_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# dovecot_auth_service +# --- + +- name: Check if String 'dovecot_auth_service=..' is present + shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv4.conf + register: dovecot_auth_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "dovecot_auth_service_ipv4_present.rc > 1" + changed_when: "dovecot_auth_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (dovecot_auth_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_client_ips' + block: | + + # - Dovecot auth service + # - + dovecot_auth_service=false + + # - Port listen for dovecot auth requests + # - + dovecot_auth_port=44444 + + # - Client Network(s) allowed to connect to dovecot's auth service + # - + # - Example: + # - dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" + # - + dovecot_auth_allowed_networks="" + marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" + when: + - main_ipv4_exists.stat.exists + - dovecot_auth_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'dovecot_auth_service=..' is present + shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv6.conf + register: dovecot_auth_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "dovecot_auth_service_ipv6_present.rc > 1" + changed_when: "dovecot_auth_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (dovecot_auth_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_client_ips' + block: | + + # - (local) Dovecot auth service + # - + dovecot_auth_service=false + + # - Port listen for dovecot auth requests + # - + dovecot_auth_port=44444 + + # - Client Network(s) allowed to connect to dovecot's auth service + # - + # - Example: + # - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7" + # - + dovecot_auth_allowed_networks="" + marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" + when: + - main_ipv6_exists.stat.exists + - dovecot_auth_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# ftp_passive_port_range +# --- + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf + register: ftp_passive_port_range_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv4_exists.stat.exists + - ftp_passive_port_range_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf + register: ftp_passive_port_range_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv6_exists.stat.exists + - ftp_passive_port_range_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# XMPP Service +# --- + +- name: Check if String 'xmpp_server_ips=..' is present + shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: xmpp_server_ips_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xmpp_server_ips_ipv4_present.rc > 1" + changed_when: "xmpp_server_ips_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xmpp_server_ips) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*ftp_passive_port_range' + block: | + + # - XMPP Service (Jabber - Prosody) + # - + xmpp_server_ips="" + forward_xmpp_server_ips="" + + # - Ports used by XMpp (Prosody) service + # - + # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt + # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) + # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern + # - + # - WebSocket (support is provided by mod_websocket) + # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) + # - + xmmp_tcp_in_ports="5222 5223 5269" + xmmp_tcp_out_ports="5269" + + # - XMPP Remote Dovecote Out Service + # - + # - Example: + # - xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" + # - + xmmp_remote_out_services="" + + marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" + when: + - main_ipv4_exists.stat.exists + - xmpp_server_ips_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'xmpp_server_ips=..' is present + shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: xmpp_server_ips_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "xmpp_server_ips_ipv6_present.rc > 1" + changed_when: "xmpp_server_ips_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xmpp_server_ips) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*ftp_passive_port_range' + block: | + + # - XMPP Service (Jabber - Prosody) + # - + xmpp_server_ips="" + forward_xmpp_server_ips="" + + # - Ports used by XMpp (Prosody) service + # - + # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt + # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) + # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern + # - + # - WebSocket (support is provided by mod_websocket) + # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) + # - + xmmp_tcp_in_ports="5222 5223 5269" + xmmp_tcp_out_ports="5269" + + # - XMPP Remote Dovecote Out Service + # - + # - Example: + # - xmmp_remote_out_services=" + # - 2a01:4f8:221:3b4e::247,44444 + # - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444 + # - " + # - + xmmp_remote_out_services="" + + marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" + when: + - main_ipv6_exists.stat.exists + - xmpp_server_ips_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# munin_remote_port +# --- + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf + register: munin_remote_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv4_present.rc > 1" + changed_when: "munin_remote_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Port used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv4_exists.stat.exists + - munin_remote_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf + register: munin_remote_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv6_present.rc > 1" + changed_when: "munin_remote_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Ports used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv6_exists.stat.exists + - munin_remote_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# xymon_port +# --- + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf + register: xymon_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv4_present.rc > 1" + changed_when: "xymon_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv4_exists.stat.exists + - xymon_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf + register: xymon_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv6_present.rc > 1" + changed_when: "xymon_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv6_exists.stat.exists + - xymon_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# mumble_ports +# --- + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mumble_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv4_present.rc > 1" + changed_when: "mumble_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv4_exists.stat.exists + - mumble_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mumble_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv6_present.rc > 1" + changed_when: "mumble_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv6_exists.stat.exists + - mumble_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# Remove Marker set by blockinfile +# --- + +- name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + + +# === +# Update/Modify firewall +# === + +# --- +# Host specific configuration files +# --- + +# /etc/ipt-firewall/interfaces_ipv[4|6].conf +# +- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf + when: not interfaces_ipv4_exists.stat.exists + register: new_interfaces_ipv4 + + +- name: Configure interfaces_ipv4.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_if_1=' + line: 'ext_if_1="{{ item.device }}"' + register: interfaces_ipv4_device + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv4_device is changed + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_1_ip=' + line: 'ext_1_ip="{{ item.ipv4.address }}"' + register: interfaces_ipv4_ip + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv4_ip is changed + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf + when: not interfaces_ipv6_exists.stat.exists + register: new_interfaces_ipv6 + +- name: Configure interfaces_ipv6.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_if_1=' + line: 'ext_if_1="{{ item.device }}"' + register: interfaces_ipv6_device + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv6_device is changed + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +- name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_1_ip=' + #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' + line: "ext_1_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" + register: interfaces_ipv6_ip + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv6_ip is changed + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + - item.ipv6.1.address is defined and item.ipv6.1.address|length > 0 + +# /etc/ipt-firewall/ban_ipv[4|6].list +# +- name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list + when: not ban_ipv4_exists.stat.exists + +- name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list + when: not ban_ipv6_exists.stat.exists + +# /etc/ipt-firewall/main_ipv[4|6].conf +# +- name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf + when: not main_ipv4_exists.stat.exists + register: cp_main_ipv4 + +- name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + when: not main_ipv6_exists.stat.exists + register: cp_main_ipv6 + +# --- +# Configure main_ipv4.conf +# --- + +# - Firewall Bridged Traffic ? + +- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - lxc_host) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=true + state: present + when: + - inventory_hostname in groups['lxc_host'] + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - other) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=false + state: present + when: + - inventory_hostname not in groups['lxc_host'] + notify: + - Restart IPv4 Firewall + +# - DNS Service + +- name: Configure main_ipv4.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - (local) Resolver + +- name: Configure main_ipv4.conf (local_resolver_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_resolver_service' + line: local_resolver_service=true + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (resolver_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*resolver_allowed_networks' + line: resolver_allowed_networks="{{ (resolver_allowed_ipv4_networks | join(' ')) | default(omit) }}" + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + notify: + - Restart IPv4 Firewall + +# - NTP Service + +- name: Configure main_ipv4.conf (local_ntp_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_ntp_service' + line: local_ntp_service=true + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (ntp_allowed_net) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_ntp_service' + line: 'ntp_allowed_net="{{ ntp_allowed_ipv4_net | default(omit) }"' + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +# - SSH Service + +- name: Configure main_ipv4.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - HTTP Server + +- name: Configure main_ipv4.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - Mail Client Protocols + +- name: Configure main_ipv4.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - Mal Server + +- name: Configure main_ipv4.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +- name: Configure main_ipv4.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + +# - Dovecot auth service + +- name: Configure main_ipv4.conf (dovecot_auth_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_service=' + line: dovecot_auth_service=true + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (dovecot_auth_port) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_port=' + line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (dovecot_auth_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_allowed_networks=' + line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv4 | join(' ')) | default(omit) }}" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +# - FTP Service + +- name: Configure main_ipv4.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - XMPP Service + +- name: Configure main_ipv4.conf (xmpp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*xmpp_server_ips=' + line: xmpp_server_ips="$ext_1_ip" + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (xmmp_remote_out_services) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*xmmp_remote_out_services=' + line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv4 | default(omit) }}"' + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv4 Firewall + +# - Mumble + +- name: Configure main_ipv4.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# --- +# Configure main_ipv6.conf +# --- + +# - Firewall Bridged Traffic ? + +- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - lxc_host) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=true + state: present + when: + - inventory_hostname in groups['lxc_host'] + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - other) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=false + state: present + when: + - inventory_hostname not in groups['lxc_host'] + notify: + - Restart IPv6 Firewall + +# - DNS Service + +- name: Configure main_ipv6.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - (local) Resolver + +- name: Configure main_ipv6.conf (local_resolver_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_resolver_service' + line: local_resolver_service=true + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (resolver_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*resolver_allowed_networks' + line: resolver_allowed_networks="{{ (resolver_allowed_ipv6_networks | join(' ')) | default(omit) }}" + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - NTP Service + +- name: Configure main_ipv6.conf (local_ntp_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_ntp_service' + line: local_ntp_service=true + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (ntp_allowed_net) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_ntp_service' + line: 'ntp_allowed_net="{{ ntp_allowed_ipv6_net }"' + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +#- SSH Service + +- name: Configure main_ipv6.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - HTTP Service + +- name: Configure main_ipv6.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Mail Client Protocolls + +- name: Configure main_ipv6.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Mail Server + +- name: Configure main_ipv6.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +- name: Configure main_ipv6.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Dovecot auth service + +- name: Configure main_ipv6.conf (dovecot_auth_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_service=' + line: dovecot_auth_service=true + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (dovecot_auth_port) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_port=' + line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (dovecot_auth_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_allowed_networks=' + line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv6 | join(' ')) | default(omit) }}" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - FTP Service + +- name: Configure main_ipv6.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - XMPP Service + +- name: Configure main_ipv6.conf (xmpp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*xmpp_server_ips=' + line: xmpp_server_ips="$ext_1_ip" + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (xmmp_remote_out_services) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*xmmp_remote_out_services=' + line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv6 | default(omit) }}"' + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv6 Firewall + +# - Munmble Service + +- name: Configure main_ipv6.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# --- +# Host independet configuration files +# --- + +- name: Check if common configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + register: diff_output + +- name: Ensure common configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Firewall scripts +# --- + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Install systemd service files ip[6]t-firewall.service +# --- + +- name: Configure firewall systemd service files + template: + src: etc/systemd/system/{{ item }}-firewall.service.j2 + dest: /etc/systemd/system/{{ item }}-firewall.service + register: systemd_service_files_installed + with_items: + - ipt + - ip6t + +- name: Enable firewall services IPv4 + systemd: + name: ipt-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- name: Enable firewall services IPv6 + systemd: + name: ip6t-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- meta: end_host + when: firewall_service_started is changed + +# --- +# Delete unused files +# --- + +- name: Delete file /etc/ipt-firewall/ports.conf + file: + path: /etc/ipt-firewall/ports.conf + state: absent + when: systemd_service_files_installed is changed diff --git a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 new file mode 100644 index 0000000..ad2c85f --- /dev/null +++ b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +Description=IPv6 Firewall with ip6tables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ip6t-firewall-server start +ExecStop=/usr/local/sbin/ip6t-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target + diff --git a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 new file mode 100644 index 0000000..ab20b8f --- /dev/null +++ b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +Description=IPv4 Firewall with iptables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ipt-firewall-server start +ExecStop=/usr/local/sbin/ipt-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target + diff --git a/scripts/install-update-firewall.yml b/scripts/install-update-firewall.yml deleted file mode 100644 index 27877ba..0000000 --- a/scripts/install-update-firewall.yml +++ /dev/null @@ -1,1031 +0,0 @@ ---- - -- hosts: all - - tasks: - -# # --- -# # - Check if firewall repository exist -# # --- -# -# - name: Check if firewall repository exist -# stat: -# path: '{{ git_firewall_repository.dest }}' -# register: git_firewall_repository_exists -# -# - meta: end_host -# when: not git_firewall_repository_exists.stat.exists - - # --- - # Create firewall config directory '/etc/ipt/firewall' if not exists - # --- - - - name: Install/update firewall repository - git: - repo: '{{ git_firewall_repository.repo }}' - dest: '{{ git_firewall_repository.dest }}' - when: git_firewall_repository is defined and git_firewall_repository|length > 0 - tags: - - git-firewall-repository - - # Exit if no firewall repository variable does not exists or is empty - # - - meta: end_host - when: git_firewall_repository is not defined or git_firewall_repository|length < 1 - - - name: Create directory /etc/ipt-firewall if not exists - file: - path: /etc/ipt-firewall - state: directory - - # --- - # Check presence of files - # --- - - - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv4.conf - register: interfaces_ipv4_exists - - - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv6.conf - register: interfaces_ipv6_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - - - name: Check if /etc/ipt-firewall/ban_ipv4.list are present - stat: - path: /etc/ipt-firewall/ban_ipv4.list - register: ban_ipv4_exists - - - name: Check if /etc/ipt-firewall/ban_ipv6.list are present - stat: - path: /etc/ipt-firewall/ban_ipv6.list - register: ban_ipv6_exists - - # --- - # Get information about network devices - # --- - - - name: define traditional ethernet facts - set_fact: - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" - when: - - not interfaces_ipv4_exists.stat.exists - - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - - inventory_hostname not in groups['lxc_host']|string - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - - name: define traditional bridge facts - set_fact: - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" - when: - - not interfaces_ipv4_exists.stat.exists - - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - - "groups['lxc_host']|string is search(inventory_hostname)" - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - - name: Debug message IPv4 - debug: - msg: - - "index: {{ idx + 1 }}" - - "device: {{ item.device }}" - - "ipv4-address: {{ item.ipv4.address }}" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - item.ipv4.address is defined and item.ipv4.address|length > 0 - - - name: Debug message IPv6 - debug: - msg: - - "index: {{ idx + 1 }}" - - "device: {{ item.device }}" - - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - -# - meta: end_host - - # --- - # Get sshd ports - # --- - - - name: Get sshd ports as blank separated list - set_fact: - fw_sshd_ports: "{{ sshd_ports | join (' ') }}" - when: - - sshd_ports is defined and sshd_ports | length > 0 - - sshd_ports|join() != "22" - - - name: Set default sshd ports - set_fact: - fw_sshd_ports: "$standard_ssh_port" - when: - - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" - - # === - # Modify main_ipv[4|].conf - add port definitionios - # === - - # --- - # vpn_ports - # --- - - - name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: vpn_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "vpn_ports_ipv4_present.rc > 1" - changed_when: "vpn_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv4_exists.stat.exists - - vpn_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: vpn_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "vpn_ports_ipv6_present.rc > 1" - changed_when: "vpn_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv6_exists.stat.exists - - vpn_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # ssh_ports - # --- - - - name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf - register: ssh_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ssh_ports_ipv4_present.rc > 1" - changed_when: "ssh_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="{{ fw_sshd_ports }}" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv4_exists.stat.exists - - ssh_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf - register: ssh_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ssh_ports_ipv6_present.rc > 1" - changed_when: "ssh_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="{{ fw_sshd_ports }}" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv6_exists.stat.exists - - ssh_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # http_ports - # --- - - - name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf - register: http_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv4_present.rc > 1" - changed_when: "http_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv4_exists.stat.exists - - http_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf - register: http_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv6_present.rc > 1" - changed_when: "http_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv6_exists.stat.exists - - http_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # mail_user_ports - # --- - - - name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mail_user_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv4_present.rc > 1" - changed_when: "mail_user_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv4_exists.stat.exists - - mail_user_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mail_user_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv6_present.rc > 1" - changed_when: "mail_user_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv6_exists.stat.exists - - mail_user_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # ftp_passive_port_range - # --- - - - name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf - register: ftp_passive_port_range_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv4_exists.stat.exists - - ftp_passive_port_range_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf - register: ftp_passive_port_range_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv6_exists.stat.exists - - ftp_passive_port_range_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # munin_remote_port - # --- - - - name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf - register: munin_remote_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv4_present.rc > 1" - changed_when: "munin_remote_port_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Port used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv4_exists.stat.exists - - munin_remote_port_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf - register: munin_remote_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv6_present.rc > 1" - changed_when: "munin_remote_port_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Ports used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv6_exists.stat.exists - - munin_remote_port_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # xymon_port - # --- - - - name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf - register: xymon_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv4_present.rc > 1" - changed_when: "xymon_port_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv4_exists.stat.exists - - xymon_port_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf - register: xymon_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv6_present.rc > 1" - changed_when: "xymon_port_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv6_exists.stat.exists - - xymon_port_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # mumble_ports - # --- - - - name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mumble_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv4_present.rc > 1" - changed_when: "mumble_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv4_exists.stat.exists - - mumble_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - - name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mumble_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv6_present.rc > 1" - changed_when: "mumble_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv6_exists.stat.exists - - mumble_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- - # Remove Marker set by blockinfile - # --- - - - name: Remove marker IPv4 - replace : - path: /etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - - - name: Remove marker IPv6 - replace : - path: /etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists - - - # === - # Update/Modify firewall - # === - - # --- - # Host specific configuration files - # --- - - # /etc/ipt-firewall/interfaces_ipv[4|6].conf - # - - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf - when: not interfaces_ipv4_exists.stat.exists - register: new_interfaces_ipv4 - - - - name: Configure interfaces_ipv4.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_if_{{ idx + 1 }}=' - line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - item.ipv4.address is defined and item.ipv4.address|length > 0 - - - name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_{{ idx + 1 }}_ip=' - line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - item.ipv4.address is defined and item.ipv4.address|length > 0 - - - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf - when: not interfaces_ipv6_exists.stat.exists - register: new_interfaces_ipv6 - - - name: Configure interfaces_ipv6.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_if_{{ idx + 1 }}=' - line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - - - name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_{{ idx + 1 }}_ip=' - #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' - line: "ext_{{ idx + 1 }}_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - - # /etc/ipt-firewall/ban_ipv[4|6].list - # - - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list - when: not ban_ipv4_exists.stat.exists - - - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list - when: not ban_ipv6_exists.stat.exists - - # /etc/ipt-firewall/main_ipv[4|6].conf - # - - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf - when: not main_ipv4_exists.stat.exists - register: cp_main_ipv4 - - - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf - when: not main_ipv6_exists.stat.exists - register: cp_main_ipv6 - - # Configure main_ipv4.conf - # - - name: Configure main_ipv4.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - # Configure main_ipv6.conf - # - - name: Configure main_ipv6.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - # --- - # Host independet configuration files - # --- - - - name: Check if common configuration files are latest - shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' - changed_when: "diff_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - register: diff_output - - - name: Ensure common configuration files are latest - command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - - # --- - # Firewall scripts - # --- - - - name: Check if firewall scripts are latest - shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - ipt-firewall-server - - ip6t-firewall-server - register: diff_script_output - - - name: Ensure firewall scripts are latest - command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} - loop: - - ipt-firewall-server - - ip6t-firewall-server - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - - # --- - # Install systemd service files ip[6]t-firewall.service - # --- - - - name: Configure firewall systemd service files - template: - src: etc/systemd/system/{{ item }}-firewall.service.j2 - dest: /etc/systemd/system/{{ item }}-firewall.service - register: systemd_service_files_installed - with_items: - - ipt - - ip6t - - - name: Enable firewall services IPv4 - systemd: - name: ipt-firewall - state: stopped - enabled: yes - daemon_reload: yes - when: systemd_service_files_installed is changed - register: firewall_service_started - - - name: Enable firewall services IPv6 - systemd: - name: ip6t-firewall - state: stopped - enabled: yes - daemon_reload: yes - when: systemd_service_files_installed is changed - register: firewall_service_started - - - meta: end_host - when: firewall_service_started is changed - - # --- - # Delete unused files - # --- - - - name: Delete file /etc/ipt-firewall/ports.conf - file: - path: /etc/ipt-firewall/ports.conf - state: absent - when: systemd_service_files_installed is changed - - - # === - # Handlers used by this playbook - # === - - handlers: - - - name: Restart ulogd - service: - name: ulogd - state: restarted - - - name: Restart IPv4 Firewall - service: - name: ipt-firewall - state: restarted - when: - - interfaces_ipv4_exists.stat.exists - - main_ipv4_exists.stat.exists - - - name: Restart IPv6 Firewall - service: - name: ip6t-firewall - state: restarted - when: - - interfaces_ipv6_exists.stat.exists - - main_ipv6_exists.stat.exists diff --git a/scripts/modify-postfix-main-dot-cf.yml b/scripts/modify-postfix-main-dot-cf.yml new file mode 100644 index 0000000..8e46505 --- /dev/null +++ b/scripts/modify-postfix-main-dot-cf.yml @@ -0,0 +1,66 @@ +--- + +- hosts: all + + tasks: + + - name: Check if file '/etc/postfix/main.cf' exists + stat: + path: /etc/postfix/main.cf + register: postfix_main_cf_exists + + # --- + # /etc/postfix/main.cf: compatibility_level = 2 + # --- + + - name: Check if String 'compatibility_level =..' is present + shell: grep -q -E "^\s*compatibility_level\s*=" /etc/postfix/main.cf + register: compatibility_level_present + when: postfix_main_cf_exists.stat.exists + failed_when: "compatibility_level_present.rc > 1" + changed_when: "compatibility_level_present.rc > 0" + + - name: Adjust file '/etc/postfix/main.cf' (compatibility_level) + blockinfile: + path: /etc/postfix/main.cf + insertafter: '^#\s*=+\s*Basic\s*settings\s*=+' + block: | + # Disable backwards compatibility + # + compatibility_level = 2 + + marker: "# Marker set by modify-postfix-main-dot-cf.yml (compatibility_level)" + when: + - postfix_main_cf_exists.stat.exists + - compatibility_level_present is changed + notify: + - Restart postfix + + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker + replace : + path: /etc/postfix/main.cf + regexp: "^# Marker set by modify-postfix-main-dot-cf.yml.*$" + replace: "" + #register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - postfix_main_cf_exists.stat.exists + + + + # === + # Handlers used by this playbook + # === + + handlers: + + - name: Restart postfix + service: + name: postfix + state: restarted