ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Complete playbook 'install-update-firewall.yml'.

Browse Source
This commit is contained in:
Christoph 2019-07-04 03:55:40 +02:00
parent 505cdbf120
commit 63de7170de
11 changed files with 533 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/all/main.yml
View File

@ -617,7 +617,7 @@ acl_caching_nameserver: {}
# Firewall repository # Firewall repository
# --- # ---
git_firewall_repository: [] git_firewall_repository: {}
# --- # ---
# all servers # all servers

65
group_vars/so36_server.yml Normal file
View File

@ -0,0 +1,65 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 1036
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server

69
host_vars/a.ns.oopen.de.yml Normal file
View File

@ -0,0 +1,69 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# vars used by scripts/install-update-firewall.yml
# ---
git_firewall_repository: {}
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

68
host_vars/codecoop.org.yml Normal file
View File

@ -0,0 +1,68 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
- 1036
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

69
host_vars/dns1.warenform.de Normal file
View File

@ -0,0 +1,69 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# vars used by scripts/install-update-firewall.yml
# ---
git_firewall_repository: {}
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

68
host_vars/site36.net.yml Normal file
View File

@ -0,0 +1,68 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
- 1036
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

26
hosts
View File

@ -14,7 +14,6 @@ a.ns.oopen.de
[extra_hosts] [extra_hosts]
o25.oopen.de o25.oopen.de
test.mx.oopen.de test.mx.oopen.de
rage.so36.net:1036 ansible_user=ckubu
[initial_setup] [initial_setup]
@ -270,7 +269,7 @@ devel-wiki.wf.netz
# O.OPEN office network # O.OPEN office network
# --- # ---
ckubu.local.netz gw-ckubu.local.netz
[webadmin] [webadmin]
@ -946,3 +945,26 @@ devel-php.wf.netz
devel-repos.wf.netz devel-repos.wf.netz
devel-todo.wf.netz devel-todo.wf.netz
devel-wiki.wf.netz devel-wiki.wf.netz
#[so36_server]
#devnull.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#codecoop.org ansible_ssh_port=22 ansible_user=ckubu
#comm.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#noc.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#ns.so36net.de ansible_ssh_port=1036 ansible_user=ckubu
#rage.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#resolver-a.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#resolver-b.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#schleuder3.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#shell.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#sympa.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#usr-db.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#web.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#suck.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#wipe.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#backup.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#o18.oopen.de ansible_ssh_port=1036 ansible_user=chris
#site36.net ansible_ssh_port=1036 ansible_user=ckubu

98
scripts/install-update-firewall.yml
View File

@ -4,18 +4,35 @@
tasks: tasks:
# # ---
# # - Check if firewall repository exist
# # ---
#
# - name: Check if firewall repository exist
# stat:
# path: '{{ git_firewall_repository.dest }}'
# register: git_firewall_repository_exists
#
# - meta: end_host
# when: not git_firewall_repository_exists.stat.exists
# --- # ---
# Create firewall config directory '/etc/ipt/firewall' if not exists # Create firewall config directory '/etc/ipt/firewall' if not exists
# --- # ---
#
- name: Install/update firewall repository - name: Install/update firewall repository
git: git:
repo: '{{ git_firewall_repository.repo }}' repo: '{{ git_firewall_repository.repo }}'
dest: '{{ git_firewall_repository.dest }}' dest: '{{ git_firewall_repository.dest }}'
when: git_firewall_repository is defined and git_firewall_repository > 0 when: git_firewall_repository is defined and git_firewall_repository|length > 0
tags: tags:
- git-firewall-repository - git-firewall-repository
# Exit if no firewall repository variable does not exists or is empty
#
- meta: end_host
when: git_firewall_repository is not defined or git_firewall_repository|length < 1
- name: Create directory /etc/ipt-firewall if not exists - name: Create directory /etc/ipt-firewall if not exists
file: file:
path: /etc/ipt-firewall path: /etc/ipt-firewall
@ -64,35 +81,50 @@
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when: when:
- not interfaces_ipv4_exists.stat.exists - not interfaces_ipv4_exists.stat.exists
- hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
- inventory_hostname not in groups['lxc_host']|string - inventory_hostname not in groups['lxc_host']|string
with_items: with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: define traditional ibridge facts - name: define traditional bridge facts
set_fact: set_fact:
#ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}"
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when: when:
- not interfaces_ipv4_exists.stat.exists - not interfaces_ipv4_exists.stat.exists
- hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
- "groups['lxc_host']|string is search(inventory_hostname)" - "groups['lxc_host']|string is search(inventory_hostname)"
with_items: with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: Debug message - name: Debug message IPv4
debug: debug:
msg: msg:
- "index: {{ idx + 1 }}" - "index: {{ idx + 1 }}"
- "device: {{ item.device }}" - "device: {{ item.device }}"
- "ipv4-address {{ item.ipv4.address }} " - "ipv4-address: {{ item.ipv4.address }}"
- "ipv6-address: {{ item.ipv6.0.address }}"
loop: "{{ ansible_netdev }}" loop: "{{ ansible_netdev }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
index_var: idx index_var: idx
when: when:
- not interfaces_ipv4_exists.stat.exists - item.ipv4.address is defined and item.ipv4.address|length > 0
- name: Debug message IPv6
debug:
msg:
- "index: {{ idx + 1 }}"
- "device: {{ item.device }}"
- "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
# - meta: end_host
# --- # ---
# Get sshd ports # Get sshd ports
@ -604,6 +636,7 @@
when: when:
- not interfaces_ipv4_exists.stat.exists - not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed - new_interfaces_ipv4 is changed
- item.ipv4.address is defined and item.ipv4.address|length > 0
- name: Configure interfaces_ipv4.conf 2/2 - name: Configure interfaces_ipv4.conf 2/2
lineinfile: lineinfile:
@ -617,6 +650,7 @@
when: when:
- not interfaces_ipv4_exists.stat.exists - not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed - new_interfaces_ipv4 is changed
- item.ipv4.address is defined and item.ipv4.address|length > 0
- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf'
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf
@ -637,12 +671,14 @@
when: when:
- not interfaces_ipv6_exists.stat.exists - not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed - new_interfaces_ipv6 is changed
- item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
- name: Configure interfaces_ipv4.conf 2/2 - name: Configure interfaces_ipv4.conf 2/2
lineinfile: lineinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: '^ext_{{ idx + 1 }}_ip=' regexp: '^ext_{{ idx + 1 }}_ip='
line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"'
line: "ext_{{ idx + 1 }}_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\""
loop: "{{ ansible_netdev }}" loop: "{{ ansible_netdev }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
@ -650,6 +686,7 @@
when: when:
- not interfaces_ipv6_exists.stat.exists - not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed - new_interfaces_ipv6 is changed
- item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
# /etc/ipt-firewall/ban_ipv[4|6].list # /etc/ipt-firewall/ban_ipv[4|6].list
# #
@ -929,6 +966,49 @@
- Restart IPv4 Firewall - Restart IPv4 Firewall
- Restart IPv6 Firewall - Restart IPv6 Firewall
# ---
# Install systemd service files ip[6]t-firewall.service
# ---
- name: Configure firewall systemd service files
template:
src: etc/systemd/system/{{ item }}-firewall.service.j2
dest: /etc/systemd/system/{{ item }}-firewall.service
register: systemd_service_files_installed
with_items:
- ipt
- ip6t
- name: Start firewall services
systemd:
name: "{{ item }}-firewall"
state: restarted
enabled: yes
daemon_reload: yes
with_items:
- ipt
- ip6t
when: systemd_service_files_installed is changed
register: firewall_service_started
- meta: end_host
when: firewall_service_started is changed
# ---
# Delete unused files
# ---
- name: Delete file /etc/ipt-firewall/ports.conf
file:
path: /etc/ipt-firewall/ports.conf
state: absent
when: systemd_service_files_installed is changed
# ===
# Handlers used by this playbook
# ===
handlers: handlers:
- name: Restart ulogd - name: Restart ulogd

16
scripts/templates/etc/systemd/system/ip6t-firewall.service.j2 Normal file
View File

@ -0,0 +1,16 @@
# {{ ansible_managed }}
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ip6t-firewall-server start
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target

16
scripts/templates/etc/systemd/system/ipt-firewall.service.j2 Normal file
View File

@ -0,0 +1,16 @@
# {{ ansible_managed }}
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-server start
ExecStop=/usr/local/sbin/ipt-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target

50
scripts/test.yml
View File

@ -5,15 +5,51 @@
tasks: tasks:
- name: Get sshd ports as blank separated list - name: define traditional ethernet facts
set_fact: set_fact:
fw_sshd_ports: "{{ sshd_ports | join (' ') }}" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when: when:
- sshd_ports is defined and sshd_ports | length > 0 - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
- sshd_ports|join() != "22" - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
- inventory_hostname not in groups['lxc_host']|string
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: Set default sshd ports - name: define traditional bridge facts
set_fact: set_fact:
fw_sshd_ports: "$standard_ssh_port" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when: when:
- sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
- "groups['lxc_host']|string is search(inventory_hostname)"
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: set fact - ipv6 / ipv4 addresses
set_fact:
host_ipv6_addr: "{% set host_ipv6_addr = item.ipv6.0.address + ' ' + (item.ipv6.1.address is match 'f.*') | ternary('',item.ipv6.1.address) %}{{ host_ipv6_addr | trim }}"
host_ipv4_addr: "{% set host_ipv4_addr = item.ipv4.address %}{{ host_ipv4_addr| trim }}"
when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0"
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
- name: Debug message
debug:
msg:
- "index: {{ idx + 1 }}"
- "device: {{ item.device }}"
- "ipv4-address: {{ item.ipv4.address }}"
- "ipv4-address: {{ host_ipv4_addr }}"
- "ipv6-address: {{ host_ipv6_addr }}"
- "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when: "item.ipv6.0.address is defined and item.ipv6.0.address|length > 0"
# - name: Debug message - ipv6-address(es)
# debug:
# msg: 'Ipv6 Address(es): {{ ansible_ipv6 }}'