Complete playbook 'install-update-firewall.yml'.

2019-07-04 03:55:40 +02:00 · 2019-07-04 03:55:40 +02:00 · 63de7170de
commit 63de7170de
parent 505cdbf120
11 changed files with 533 additions and 24 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -617,7 +617,7 @@ acl_caching_nameserver: {}
 # Firewall repository
 # ---

-git_firewall_repository: []
+git_firewall_repository: {}

 # ---
 # all servers
--- a/group_vars/so36_server.yml
+++ b/group_vars/so36_server.yml
@ -0,0 +1,65 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_ports:
+  - 1036
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
--- a/host_vars/a.ns.oopen.de.yml
+++ b/host_vars/a.ns.oopen.de.yml
@ -0,0 +1,69 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# vars used by scripts/install-update-firewall.yml
+# ---
+
+git_firewall_repository: {}
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/host_vars/codecoop.org.yml
+++ b/host_vars/codecoop.org.yml
@ -0,0 +1,68 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_ports:
+  - 22
+  - 1036
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/host_vars/dns1.warenform.de
+++ b/host_vars/dns1.warenform.de
@ -0,0 +1,69 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# vars used by scripts/install-update-firewall.yml
+# ---
+
+git_firewall_repository: {}
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/host_vars/site36.net.yml
+++ b/host_vars/site36.net.yml
@ -0,0 +1,68 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_ports:
+  - 22
+  - 1036
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/26
+++ b/26
@ -14,7 +14,6 @@ a.ns.oopen.de
 [extra_hosts]
 o25.oopen.de
 test.mx.oopen.de
-rage.so36.net:1036 ansible_user=ckubu


 [initial_setup]
@ -270,7 +269,7 @@ devel-wiki.wf.netz
 #  O.OPEN office network
 # ---

-ckubu.local.netz
+gw-ckubu.local.netz


 [webadmin]
@ -946,3 +945,26 @@ devel-php.wf.netz
 devel-repos.wf.netz
 devel-todo.wf.netz
 devel-wiki.wf.netz
+
+#[so36_server]
+#devnull.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#codecoop.org ansible_ssh_port=22 ansible_user=ckubu
+#comm.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#noc.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#ns.so36net.de ansible_ssh_port=1036 ansible_user=ckubu
+#rage.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#resolver-a.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#resolver-b.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#schleuder3.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#shell.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#sympa.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#usr-db.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#web.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#
+#suck.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#
+#wipe.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#backup.so36.net ansible_ssh_port=1036 ansible_user=ckubu
+#
+#o18.oopen.de ansible_ssh_port=1036 ansible_user=chris
+#site36.net ansible_ssh_port=1036 ansible_user=ckubu
--- a/scripts/install-update-firewall.yml
+++ b/scripts/install-update-firewall.yml
@ -4,18 +4,35 @@

  tasks:

+#  # ---
+#  # - Check if firewall repository exist
+#  # ---
+#
+#  - name: Check if firewall repository exist
+#    stat:
+#      path: '{{ git_firewall_repository.dest }}'
+#    register: git_firewall_repository_exists
+#
+#  - meta: end_host
+#    when: not git_firewall_repository_exists.stat.exists
+
  # ---
  # Create firewall config directory '/etc/ipt/firewall' if not exists
  # ---
-  #
+
  - name: Install/update firewall repository
    git:
      repo: '{{ git_firewall_repository.repo }}'
      dest: '{{ git_firewall_repository.dest }}'
-    when: git_firewall_repository is defined and git_firewall_repository > 0
+    when: git_firewall_repository is defined and git_firewall_repository|length > 0
    tags:
      - git-firewall-repository

+  # Exit if no firewall repository variable does not exists or is empty
+  #
+  - meta: end_host
+    when: git_firewall_repository is not defined or git_firewall_repository|length < 1
+
  - name: Create directory /etc/ipt-firewall if not exists
    file:
      path: /etc/ipt-firewall
@ -64,35 +81,50 @@
      ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
    when: 
      - not interfaces_ipv4_exists.stat.exists
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
      - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
      - inventory_hostname not in groups['lxc_host']|string
    with_items:
      - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"

-  - name: define traditional ibridge facts
+  - name: define traditional bridge facts
    set_fact:
-       #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}"
      ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
    when: 
      - not interfaces_ipv4_exists.stat.exists
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
      - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
      - "groups['lxc_host']|string is search(inventory_hostname)"
    with_items:
      - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"

-  - name: Debug message
+  - name: Debug message IPv4
    debug:
       msg: 
         - "index: {{ idx + 1 }}"
         - "device: {{ item.device }}"
-         - "ipv4-address {{ item.ipv4.address }} "
-         - "ipv6-address: {{ item.ipv6.0.address }}"
+         - "ipv4-address: {{ item.ipv4.address }}"
    loop: "{{ ansible_netdev }}"
    loop_control:
      label: "{{ item.device }}"
      index_var: idx
-    when: 
-      - not interfaces_ipv4_exists.stat.exists
+    when:
+      - item.ipv4.address is defined and item.ipv4.address|length > 0
+
+  - name: Debug message IPv6
+    debug:
+       msg: 
+         - "index: {{ idx + 1 }}"
+         - "device: {{ item.device }}"
+         - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
+    loop: "{{ ansible_netdev }}"
+    loop_control:
+      label: "{{ item.device }}"
+      index_var: idx
+    when:
+      - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
+
+#  - meta: end_host

  # ---
  # Get sshd ports
@ -604,6 +636,7 @@
    when: 
      - not interfaces_ipv4_exists.stat.exists
      - new_interfaces_ipv4 is changed
+      - item.ipv4.address is defined and item.ipv4.address|length > 0

  - name: Configure interfaces_ipv4.conf 2/2
    lineinfile:
@ -617,6 +650,7 @@
    when:
      - not interfaces_ipv4_exists.stat.exists
      - new_interfaces_ipv4 is changed
+      - item.ipv4.address is defined and item.ipv4.address|length > 0

  - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf'
    command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample  /etc/ipt-firewall/interfaces_ipv6.conf
@ -637,12 +671,14 @@
    when:
      - not interfaces_ipv6_exists.stat.exists
      - new_interfaces_ipv6 is changed
+      - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0

  - name: Configure interfaces_ipv4.conf 2/2
    lineinfile:
      path: /etc/ipt-firewall/interfaces_ipv6.conf
      regexp: '^ext_{{ idx + 1 }}_ip='
-      line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' 
+      #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' 
+      line: "ext_{{ idx + 1 }}_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" 
    loop: "{{ ansible_netdev }}"
    loop_control:
      label: "{{ item.device }}"
@ -650,6 +686,7 @@
    when:
      - not interfaces_ipv6_exists.stat.exists
      - new_interfaces_ipv6 is changed
+      - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0

  # /etc/ipt-firewall/ban_ipv[4|6].list
  #
@ -929,6 +966,49 @@
      - Restart IPv4 Firewall
      - Restart IPv6 Firewall

+  # ---
+  # Install systemd service files  ip[6]t-firewall.service
+  # ---
+
+  - name: Configure firewall systemd service files
+    template:
+      src: etc/systemd/system/{{ item }}-firewall.service.j2
+      dest: /etc/systemd/system/{{ item }}-firewall.service
+    register: systemd_service_files_installed
+    with_items:
+       - ipt
+       - ip6t
+
+  - name: Start firewall services
+    systemd:
+      name: "{{ item }}-firewall"
+      state: restarted
+      enabled: yes
+      daemon_reload: yes
+    with_items:
+       - ipt
+       - ip6t
+    when: systemd_service_files_installed is changed
+    register: firewall_service_started
+
+  - meta: end_host
+    when: firewall_service_started is changed
+
+  # ---
+  # Delete unused files
+  # ---
+
+  - name: Delete file /etc/ipt-firewall/ports.conf
+    file:
+      path: /etc/ipt-firewall/ports.conf
+      state: absent
+    when: systemd_service_files_installed is changed
+
+
+  # ===
+  # Handlers used by this playbook
+  # ===
+
  handlers:

    - name: Restart ulogd
--- a/scripts/templates/etc/systemd/system/ip6t-firewall.service.j2
+++ b/scripts/templates/etc/systemd/system/ip6t-firewall.service.j2
@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=IPv6 Firewall with ip6tables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ip6t-firewall-server start
+ExecStop=/usr/local/sbin/ip6t-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+
--- a/scripts/templates/etc/systemd/system/ipt-firewall.service.j2
+++ b/scripts/templates/etc/systemd/system/ipt-firewall.service.j2
@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-server start
+ExecStop=/usr/local/sbin/ipt-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+
--- a/scripts/test.yml
+++ b/scripts/test.yml
@ -4,16 +4,52 @@


  tasks:
-  
-  - name: Get sshd ports as blank separated list
-    set_fact:
-      fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
-    when: 
-      - sshd_ports is defined and sshd_ports | length > 0
-      - sshd_ports|join() != "22"

-  - name: Set default sshd ports
+  - name: define traditional ethernet facts
    set_fact:
-      fw_sshd_ports: "$standard_ssh_port"
-    when: 
-      - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"
+      ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+    when:
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
+      - inventory_hostname not in groups['lxc_host']|string
+    with_items:
+      - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+  - name: define traditional bridge facts
+    set_fact:
+      ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+    when:
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+      - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
+      - "groups['lxc_host']|string is search(inventory_hostname)"
+    with_items:
+      - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+  - name: set fact - ipv6 / ipv4 addresses
+    set_fact: 
+      host_ipv6_addr: "{% set host_ipv6_addr =  item.ipv6.0.address  + ' ' +  (item.ipv6.1.address is match 'f.*') | ternary('',item.ipv6.1.address)  %}{{ host_ipv6_addr | trim }}"
+      host_ipv4_addr: "{% set host_ipv4_addr = item.ipv4.address %}{{  host_ipv4_addr| trim }}"
+    when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0"
+    loop: "{{ ansible_netdev }}"
+    loop_control:
+      label: "{{ item.device }}"
+
+  - name: Debug message
+    debug:
+       msg:
+         - "index: {{ idx + 1 }}"
+         - "device: {{ item.device }}"
+         - "ipv4-address: {{ item.ipv4.address }}"
+         - "ipv4-address: {{ host_ipv4_addr }}"
+         - "ipv6-address: {{ host_ipv6_addr }}"
+         - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
+    loop: "{{ ansible_netdev }}"
+    loop_control:
+      label: "{{ item.device }}"
+      index_var: idx
+    when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0"
+
+
+#  - name: Debug message - ipv6-address(es)
+#    debug:
+#       msg: 'Ipv6 Address(es): {{ ansible_ipv6 }}'