diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 88cac47..365bdd0 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -617,7 +617,7 @@ acl_caching_nameserver: {} # Firewall repository # --- -git_firewall_repository: [] +git_firewall_repository: {} # --- # all servers diff --git a/group_vars/so36_server.yml b/group_vars/so36_server.yml new file mode 100644 index 0000000..6a10835 --- /dev/null +++ b/group_vars/so36_server.yml @@ -0,0 +1,65 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_ports: + - 1036 + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + diff --git a/host_vars/a.ns.oopen.de.yml b/host_vars/a.ns.oopen.de.yml new file mode 100644 index 0000000..ab7fee8 --- /dev/null +++ b/host_vars/a.ns.oopen.de.yml @@ -0,0 +1,69 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# vars used by scripts/install-update-firewall.yml +# --- + +git_firewall_repository: {} + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/codecoop.org.yml b/host_vars/codecoop.org.yml new file mode 100644 index 0000000..66a3b80 --- /dev/null +++ b/host_vars/codecoop.org.yml @@ -0,0 +1,68 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_ports: + - 22 + - 1036 + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/dns1.warenform.de b/host_vars/dns1.warenform.de new file mode 100644 index 0000000..ab7fee8 --- /dev/null +++ b/host_vars/dns1.warenform.de @@ -0,0 +1,69 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# vars used by scripts/install-update-firewall.yml +# --- + +git_firewall_repository: {} + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/site36.net.yml b/host_vars/site36.net.yml new file mode 100644 index 0000000..66a3b80 --- /dev/null +++ b/host_vars/site36.net.yml @@ -0,0 +1,68 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_ports: + - 22 + - 1036 + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/hosts b/hosts index daedb88..616e041 100644 --- a/hosts +++ b/hosts @@ -14,7 +14,6 @@ a.ns.oopen.de [extra_hosts] o25.oopen.de test.mx.oopen.de -rage.so36.net:1036 ansible_user=ckubu [initial_setup] @@ -270,7 +269,7 @@ devel-wiki.wf.netz # O.OPEN office network # --- -ckubu.local.netz +gw-ckubu.local.netz [webadmin] @@ -946,3 +945,26 @@ devel-php.wf.netz devel-repos.wf.netz devel-todo.wf.netz devel-wiki.wf.netz + +#[so36_server] +#devnull.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#codecoop.org ansible_ssh_port=22 ansible_user=ckubu +#comm.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#noc.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#ns.so36net.de ansible_ssh_port=1036 ansible_user=ckubu +#rage.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#resolver-a.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#resolver-b.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#schleuder3.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#shell.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#sympa.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#usr-db.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#web.so36.net ansible_ssh_port=1036 ansible_user=ckubu +# +#suck.so36.net ansible_ssh_port=1036 ansible_user=ckubu +# +#wipe.so36.net ansible_ssh_port=1036 ansible_user=ckubu +#backup.so36.net ansible_ssh_port=1036 ansible_user=ckubu +# +#o18.oopen.de ansible_ssh_port=1036 ansible_user=chris +#site36.net ansible_ssh_port=1036 ansible_user=ckubu diff --git a/scripts/install-update-firewall.yml b/scripts/install-update-firewall.yml index a7a99f3..8f4c9fe 100644 --- a/scripts/install-update-firewall.yml +++ b/scripts/install-update-firewall.yml @@ -4,18 +4,35 @@ tasks: +# # --- +# # - Check if firewall repository exist +# # --- +# +# - name: Check if firewall repository exist +# stat: +# path: '{{ git_firewall_repository.dest }}' +# register: git_firewall_repository_exists +# +# - meta: end_host +# when: not git_firewall_repository_exists.stat.exists + # --- # Create firewall config directory '/etc/ipt/firewall' if not exists # --- - # + - name: Install/update firewall repository git: repo: '{{ git_firewall_repository.repo }}' dest: '{{ git_firewall_repository.dest }}' - when: git_firewall_repository is defined and git_firewall_repository > 0 + when: git_firewall_repository is defined and git_firewall_repository|length > 0 tags: - git-firewall-repository + # Exit if no firewall repository variable does not exists or is empty + # + - meta: end_host + when: git_firewall_repository is not defined or git_firewall_repository|length < 1 + - name: Create directory /etc/ipt-firewall if not exists file: path: /etc/ipt-firewall @@ -64,35 +81,50 @@ ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - inventory_hostname not in groups['lxc_host']|string with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - name: define traditional ibridge facts + - name: define traditional bridge facts set_fact: - #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - "groups['lxc_host']|string is search(inventory_hostname)" with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - name: Debug message + - name: Debug message IPv4 debug: msg: - "index: {{ idx + 1 }}" - "device: {{ item.device }}" - - "ipv4-address {{ item.ipv4.address }} " - - "ipv6-address: {{ item.ipv6.0.address }}" + - "ipv4-address: {{ item.ipv4.address }}" loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx - when: - - not interfaces_ipv4_exists.stat.exists + when: + - item.ipv4.address is defined and item.ipv4.address|length > 0 + + - name: Debug message IPv6 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +# - meta: end_host # --- # Get sshd ports @@ -604,6 +636,7 @@ when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 - name: Configure interfaces_ipv4.conf 2/2 lineinfile: @@ -617,6 +650,7 @@ when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf @@ -637,12 +671,14 @@ when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - name: Configure interfaces_ipv4.conf 2/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv6.conf regexp: '^ext_{{ idx + 1 }}_ip=' - line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' + #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' + line: "ext_{{ idx + 1 }}_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" @@ -650,6 +686,7 @@ when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 # /etc/ipt-firewall/ban_ipv[4|6].list # @@ -929,6 +966,49 @@ - Restart IPv4 Firewall - Restart IPv6 Firewall + # --- + # Install systemd service files ip[6]t-firewall.service + # --- + + - name: Configure firewall systemd service files + template: + src: etc/systemd/system/{{ item }}-firewall.service.j2 + dest: /etc/systemd/system/{{ item }}-firewall.service + register: systemd_service_files_installed + with_items: + - ipt + - ip6t + + - name: Start firewall services + systemd: + name: "{{ item }}-firewall" + state: restarted + enabled: yes + daemon_reload: yes + with_items: + - ipt + - ip6t + when: systemd_service_files_installed is changed + register: firewall_service_started + + - meta: end_host + when: firewall_service_started is changed + + # --- + # Delete unused files + # --- + + - name: Delete file /etc/ipt-firewall/ports.conf + file: + path: /etc/ipt-firewall/ports.conf + state: absent + when: systemd_service_files_installed is changed + + + # === + # Handlers used by this playbook + # === + handlers: - name: Restart ulogd diff --git a/scripts/templates/etc/systemd/system/ip6t-firewall.service.j2 b/scripts/templates/etc/systemd/system/ip6t-firewall.service.j2 new file mode 100644 index 0000000..ad2c85f --- /dev/null +++ b/scripts/templates/etc/systemd/system/ip6t-firewall.service.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +Description=IPv6 Firewall with ip6tables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ip6t-firewall-server start +ExecStop=/usr/local/sbin/ip6t-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target + diff --git a/scripts/templates/etc/systemd/system/ipt-firewall.service.j2 b/scripts/templates/etc/systemd/system/ipt-firewall.service.j2 new file mode 100644 index 0000000..ab20b8f --- /dev/null +++ b/scripts/templates/etc/systemd/system/ipt-firewall.service.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +Description=IPv4 Firewall with iptables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ipt-firewall-server start +ExecStop=/usr/local/sbin/ipt-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target + diff --git a/scripts/test.yml b/scripts/test.yml index d27b29e..fbadf67 100644 --- a/scripts/test.yml +++ b/scripts/test.yml @@ -4,16 +4,52 @@ tasks: - - - name: Get sshd ports as blank separated list - set_fact: - fw_sshd_ports: "{{ sshd_ports | join (' ') }}" - when: - - sshd_ports is defined and sshd_ports | length > 0 - - sshd_ports|join() != "22" - - name: Set default sshd ports + - name: define traditional ethernet facts set_fact: - fw_sshd_ports: "$standard_ssh_port" - when: - - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: define traditional bridge facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: set fact - ipv6 / ipv4 addresses + set_fact: + host_ipv6_addr: "{% set host_ipv6_addr = item.ipv6.0.address + ' ' + (item.ipv6.1.address is match 'f.*') | ternary('',item.ipv6.1.address) %}{{ host_ipv6_addr | trim }}" + host_ipv4_addr: "{% set host_ipv4_addr = item.ipv4.address %}{{ host_ipv4_addr| trim }}" + when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + + - name: Debug message + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address: {{ item.ipv4.address }}" + - "ipv4-address: {{ host_ipv4_addr }}" + - "ipv6-address: {{ host_ipv6_addr }}" + - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0" + + +# - name: Debug message - ipv6-address(es) +# debug: +# msg: 'Ipv6 Address(es): {{ ansible_ipv6 }}'