diff --git a/scripts/first-run.yml b/scripts/first-run.yml deleted file mode 100644 index 66e4c33..0000000 --- a/scripts/first-run.yml +++ /dev/null @@ -1,118 +0,0 @@ ---- - -- hosts: extra_hosts - - tasks: - - - name: (apt.yml) apt update - apt: - update_cache: true - cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" - when: apt_update|bool - - - name: (apt.yml) dpkg --configure - command: > - dpkg --configure -a - args: - warn: false - changed_when: _dpkg_configure.stdout_lines | length - register: _dpkg_configure - when: apt_dpkg_configure|bool - - - name: Install ulogd2 - apt: - name: ulogd2 - state: present - default_release: "{{ ansible_distribution_release }}" - tags: - - ulogd - - apt-ulogd - - - name: Check if file '/etc/ulogd.conf.ORIG' exists - stat: - path: /etc/ulogd.conf.ORIG - register: ulogd_conf_orig_exists - tags: - - ulogd - - - name: Backup existing file /etc/ulogd.conf - command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG - when: ulogd_conf_orig_exists.stat.exists == False - tags: - - ulogd - - - name: Adjust file '/etc/ulogd.conf' 1/2 - blockinfile: - path: /etc/ulogd.conf - insertafter: '^#?\s*plugin="/usr/lib' - block: | - - # ==================================================================== - # Define two new plugin stacks inside for iptables logging - # ==================================================================== - # - - # - firewall11 - for IPv4 Firewall - # - firewall12 - for IPv6 Firewall - # - - stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU - stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU - - marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2" - state: present - register: ulogd_conf_1 - notify: Restart ulogd - - - name: Adjust file '/etc/ulogd.conf' 2/2 - blockinfile: - path: /etc/ulogd.conf - insertafter: EOF - block: | - - # ========================================================= - # Define input plugins using specified netlink group inside - # ========================================================= - [firewall11] - group=11 - - [firewall12] - group=12 - - - # ===================== - # Define output plugins - # ===================== - - [emu11] - file="/var/log/ulog/iptables.log" - sync=1 - - [emu12] - file="/var/log/ulog/ip6tables.log" - sync=1 - - marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2" - state: present - register: ulogd_conf_1 - notify: Restart ulogd - - - name: Insert Headline to file '/etc/ulogd.conf' - blockinfile: - path: /etc/ulogd.conf - insertbefore: BOF - block: | - # - # -------------------------- - # ** DO NOT EDIT DIRECTLY ** - # -------------------------- - # Ansible managed file - # - marker: "# {mark}" - - - handlers: - - - name: Restart ulogd - service: - name: ulogd - state: restarted - diff --git a/scripts/first-run.yml.BAK b/scripts/first-run.yml.BAK deleted file mode 100644 index ae61a00..0000000 --- a/scripts/first-run.yml.BAK +++ /dev/null @@ -1,46 +0,0 @@ ---- - -- hosts: extra_hosts - - tasks: - - - name: Install ulogd2 - apt: - name: ulogd2 - state: present - default_release: "{{ ansible_distribution_release }}" - tags: - - ulogd - - apt-ulogd - - - name: Check if file '/etc/ulogd.conf.ORIG' exists - stat: - path: /etc/ulogd.conf.ORIG - register: ulogd_conf_orig_exists - tags: - - ulogd - - - name: Backup existing file /etc/ulogd.conf - command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG - when: ulogd_conf_orig_exists.stat.exists == False - tags: - - ulogd - - - name: Adjust file '/etc/ulogd.conf' 1/2 - lineinfile: - path: /etc/ulogd.conf - insertafter: '^plugin="/usr/lib' - block: | - {{ item.entry }} - with_items: - - { entry: '' } - - { entry: '# ====================================================================' } - - { entry: '# Define two new plugin stacks inside for iptables logging' } - - { entry: '# ====================================================================' } - - { entry: '# -' } - - { entry: '# - firewall11 - for IPv4 Firewall' } - - { entry: '# - firewall12 - for IPv6 Firewall' } - - { entry: '# -' } - - { entry: 'stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU' } - - { entry: 'stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU' } - - { entry: '' } diff --git a/scripts/install-firewall.yml b/scripts/install-firewall.yml deleted file mode 100644 index d8f4af6..0000000 --- a/scripts/install-firewall.yml +++ /dev/null @@ -1,455 +0,0 @@ ---- - -- hosts: all - - tasks: - - # --- - # Create firewall config directory '/etc/ipt/firewall' if not exists - # --- - # - - name: Install/update firewall repository - git: - repo: '{{ git_firewall_repository.repo }}' - dest: '{{ git_firewall_repository.dest }}' - when: git_firewall_repository is defined and git_firewall_repository > 0 - tags: - - git-firewall-repository - - - name: Create directory /etc/ipt-firewall if not exists - file: - path: /etc/ipt-firewall - state: directory - - # --- - # Get information about network devices - # --- - - - name: define traditional ethernet facts - set_fact: - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" - when: - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - - inventory_hostname not in groups['lxc_host']|string - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - - name: define traditional ibridge facts - set_fact: - #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}" - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" - when: - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - - "groups['lxc_host']|string is search(inventory_hostname)" - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - - - name: Debug message - debug: - msg: - - "index: {{ idx + 1 }}" - - "device: {{ item.device }}" - - "ipv4-address {{ item.ipv4.address }} " - - "ipv6-address: {{ item.ipv6.0.address }}" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - - # --- - # Check presence of files - # --- - - - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv4.conf - register: interfaces_ipv4_exists - - - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv6.conf - register: interfaces_ipv6_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - - - name: Check if /etc/ipt-firewall/ban_ipv4.list are present - stat: - path: /etc/ipt-firewall/ban_ipv4.list - register: ban_ipv4_exists - - - name: Check if /etc/ipt-firewall/ban_ipv6.list are present - stat: - path: /etc/ipt-firewall/ban_ipv6.list - register: ban_ipv6_exists - - # === - # Update/Modify firewall - # === - - # --- - # Host specific configuration files - # --- - - # /etc/ipt-firewall/interfaces_ipv[4|6].conf - # - - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf - when: not interfaces_ipv4_exists.stat.exists - register: new_interfaces_ipv4 - - - - name: Configure interfaces_ipv4.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_if_{{ idx + 1 }}=' - line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - - name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_{{ idx + 1 }}_ip=' - line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf - when: not interfaces_ipv6_exists.stat.exists - register: new_interfaces_ipv6 - - - name: Configure interfaces_ipv6.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_if_{{ idx + 1 }}=' - line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - - name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_{{ idx + 1 }}_ip=' - line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - # /etc/ipt-firewall/ban_ipv[4|6].list - # - - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list - when: not ban_ipv4_exists.stat.exists - - - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list - when: not ban_ipv6_exists.stat.exists - - # /etc/ipt-firewall/main_ipv[4|6].conf - # - - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf - when: not main_ipv4_exists.stat.exists - register: cp_main_ipv4 - - - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf - when: not main_ipv6_exists.stat.exists - register: cp_main_ipv6 - - # Configure main_ipv4.conf - # - - name: Configure main_ipv4.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - - name: Configure main_ipv4.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - # Configure main_ipv6.conf - # - - name: Configure main_ipv6.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - - name: Configure main_ipv6.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - # --- - # Host independet configuration files - # --- - - - name: Check if common configuration files are latest - shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' - changed_when: "diff_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - register: diff_output - - - name: Ensure common configuration files are latest - command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - - # --- - # Firewall scripts - # --- - - - name: Check if firewall scripts are latest - shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - ipt-firewall-server - - ip6t-firewall-server - register: diff_script_output - - - name: Ensure firewall scripts are latest - command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} - loop: - - ipt-firewall-server - - ip6t-firewall-server - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - - handlers: - - - name: Restart ulogd - service: - name: ulogd - state: restarted - - - name: Restart IPv4 Firewall - service: - name: ipt-firewall - state: restarted - - - name: Restart IPv6 Firewall - service: - name: ip6t-firewall - state: restarted