--- # # --- # # - Check if firewall repository exist # # --- # # - name: Check if firewall repository exist # stat: # path: '{{ git_firewall_repository.dest }}' # register: git_firewall_repository_exists # # - meta: end_host # when: not git_firewall_repository_exists.stat.exists # --- # Create firewall config directory '/etc/ipt/firewall' if not exists # --- - name: Install/update firewall repository git: repo: '{{ git_firewall_repository.repo }}' dest: '{{ git_firewall_repository.dest }}' when: git_firewall_repository is defined and git_firewall_repository|length > 0 tags: - git-firewall-repository # Exit if no firewall repository variable exists or is empty # - meta: end_host when: git_firewall_repository is not defined or git_firewall_repository|length < 1 - name: Create directory /etc/ipt-firewall if not exists file: path: /etc/ipt-firewall state: directory # --- # Check presence of files # --- - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present stat: path: /etc/ipt-firewall/interfaces_ipv4.conf register: interfaces_ipv4_exists - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present stat: path: /etc/ipt-firewall/interfaces_ipv6.conf register: interfaces_ipv6_exists - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists stat: path: /etc/ipt-firewall/main_ipv4.conf register: main_ipv4_exists - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists stat: path: /etc/ipt-firewall/main_ipv6.conf register: main_ipv6_exists - name: Check if /etc/ipt-firewall/ban_ipv4.list are present stat: path: /etc/ipt-firewall/ban_ipv4.list register: ban_ipv4_exists - name: Check if /etc/ipt-firewall/ban_ipv6.list are present stat: path: /etc/ipt-firewall/ban_ipv6.list register: ban_ipv6_exists # --- # Get information about network devices # --- - name: define traditional ethernet facts set_fact: ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - not interfaces_ipv4_exists.stat.exists - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - inventory_hostname not in groups['lxc_host']|string with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - name: define traditional bridge facts set_fact: ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - not interfaces_ipv4_exists.stat.exists - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - "groups['lxc_host']|string is search(inventory_hostname)" with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - name: Debug message IPv4 debug: msg: - "index: {{ idx + 1 }}" - "device: {{ item.device }}" - "ipv4-address: {{ item.ipv4.address }}" loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - item.ipv4.address is defined and item.ipv4.address|length > 0 - name: Debug message IPv6 debug: msg: - "index: {{ idx + 1 }}" - "device: {{ item.device }}" - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 #- meta: end_host # --- # Get sshd ports # --- - name: Get sshd ports as blank separated list set_fact: fw_sshd_ports: "{{ sshd_ports | join (' ') }}" when: - sshd_ports is defined and sshd_ports | length > 0 - sshd_ports|join() != "22" - name: Set default sshd ports set_fact: fw_sshd_ports: "$standard_ssh_port" when: - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" # === # Modify main_ipv[4|].conf - add port definitionios # === # --- # Allow local Services from given (extern) network # --- - name: Check if String 'allow_local_service_from_networks=..' is present shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv4.conf register: allow_local_service_from_networks_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "allow_local_service_from_networks_ipv4_present.rc > 1" changed_when: "allow_local_service_from_networks_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_local_service_from_networks) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*allow_local_service' block: | # ------------- # ---- Allow local Services from given (extern) network # ------------- # - allow_local_service_from_networks # - # - allow_local_service_from_networks=" [: [.." # - # - Allow all traffic to given local service from given (extern) network # - # - Example: # - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" # - # - Blank separated list # - allow_local_service_from_networks="" marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" when: - main_ipv4_exists.stat.exists - allow_local_service_from_networks_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'allow_local_service_from_networks=..' is present shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv6.conf register: allow_local_service_from_networks_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "allow_local_service_from_networks_ipv6_present.rc > 1" changed_when: "allow_local_service_from_networks_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_local_service_from_networks) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*allow_local_service' block: | # ------------- # ---- Allow local Services from given (extern) network # ------------- # - allow_local_service_from_networks # - # - allow_local_service_from_networks=" [, [.." # - # - Allow all traffic to given local service from given (extern) network # - # - Example: # - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" # - # - Blank separated list # - allow_local_service_from_networks="" marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" when: - main_ipv6_exists.stat.exists - allow_local_service_from_networks_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # vpn_ports # --- - name: Check if String 'vpn_ports=..' is present shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf register: vpn_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "vpn_ports_ipv4_present.rc > 1" changed_when: "vpn_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_vpn_server_ips' block: | # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" when: - main_ipv4_exists.stat.exists - vpn_ports_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'vpn_ports=..' is present shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf register: vpn_ports_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "vpn_ports_ipv6_present.rc > 1" changed_when: "vpn_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_vpn_server_ips' block: | # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" when: - main_ipv6_exists.stat.exists - vpn_ports_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # support local NTP Service # --- - name: Check if String 'local_ntp_service..' is present shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv4.conf register: local_ntp_service_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "local_ntp_service_ipv4_present.rc > 1" changed_when: "local_ntp_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_ntp_service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*vpn_ports' block: | # local NTP Server # local_ntp_service=false # NPT Port used by local service # ntp_port="$standard_ntp_port" # Network allowed for NTP requests # # Note: if not set no port will be open! # ntp_allowed_net="" marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" when: - main_ipv4_exists.stat.exists - local_ntp_service_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'local_ntp_service..' is present shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv6.conf register: local_ntp_service_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "local_ntp_service_ipv6_present.rc > 1" changed_when: "local_ntp_service_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_ntp_service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*vpn_ports' block: | # local NTP Server # local_ntp_service=false # NPT Port used by local service # ntp_port="$standard_ntp_port" # Network allowed for NTP requests # # Note: if not set no port will be open! # ntp_allowed_net="" marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" when: - main_ipv6_exists.stat.exists - local_ntp_service_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # support local DNS Resolver # --- - name: Check if String 'local_resolver_service..' is present shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv4.conf register: local_resolver_service_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "local_resolver_service_ipv4_present.rc > 1" changed_when: "local_resolver_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_resolver_service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_dns_server_ips' block: | # - local DNS Resolver # - local_resolver_service=false # - Resolover Port used by local service # - resolver_port="$standard_dns_port" # - Network allowed for DNS requests # - # - Note: if not set no port will be open! # - # - Example: # - resolver_allowed_networks="192.68.11.64/27 194.150.169.139" # - resolver_allowed_networks="" marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" when: - main_ipv4_exists.stat.exists - local_resolver_service_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'local_resolver_service..' is present shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv6.conf register: local_resolver_service_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "local_resolver_service_ipv6_present.rc > 1" changed_when: "local_resolver_service_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_resolver_service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_dns_server_ips' block: | # - local DNS Resolver # - local_resolver_service=false # - Resolover Port used by local service # - resolver_port="$standard_dns_port" # - Network allowed for DNS requests # - # - Note: if not set no port will be open! # - # - Example: # - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64" # - resolver_allowed_networks="" marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" when: - main_ipv6_exists.stat.exists - local_resolver_service_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # ssh_ports # --- - name: Check if String 'ssh_ports=..' is present shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf register: ssh_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "ssh_ports_ipv4_present.rc > 1" changed_when: "ssh_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_ssh_server_ips' block: | # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="{{ fw_sshd_ports }}" marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" when: - main_ipv4_exists.stat.exists - ssh_ports_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'ssh_ports=..' is present shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf register: ssh_ports_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "ssh_ports_ipv6_present.rc > 1" changed_when: "ssh_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_ssh_server_ips' block: | # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="{{ fw_sshd_ports }}" marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" when: - main_ipv6_exists.stat.exists - ssh_ports_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # http_ports # --- - name: Check if String 'http_ports=..' is present shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf register: http_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "http_ports_ipv4_present.rc > 1" changed_when: "http_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_http_server_ips' block: | # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" marker: "# Marker set by modify-ipt-server.yml (http_ports)" when: - main_ipv4_exists.stat.exists - http_ports_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'http_ports=..' is present shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf register: http_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "http_ports_ipv6_present.rc > 1" changed_when: "http_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_http_server_ips' block: | # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" marker: "# Marker set by modify-ipt-server.yml (http_ports)" when: - main_ipv6_exists.stat.exists - http_ports_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # mail_user_ports # --- - name: Check if String 'mail_user_ports=..' is present shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf register: mail_user_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "mail_user_ports_ipv4_present.rc > 1" changed_when: "mail_user_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_mail_server_ips' block: | # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" when: - main_ipv4_exists.stat.exists - mail_user_ports_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'mail_user_ports=..' is present shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf register: mail_user_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "mail_user_ports_ipv6_present.rc > 1" changed_when: "mail_user_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_mail_server_ips' block: | # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" when: - main_ipv6_exists.stat.exists - mail_user_ports_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # dovecot_auth_service # --- - name: Check if String 'dovecot_auth_service=..' is present shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv4.conf register: dovecot_auth_service_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "dovecot_auth_service_ipv4_present.rc > 1" changed_when: "dovecot_auth_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (dovecot_auth_service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_mail_client_ips' block: | # - Dovecot auth service # - dovecot_auth_service=false # - Port listen for dovecot auth requests # - dovecot_auth_port=44444 # - Client Network(s) allowed to connect to dovecot's auth service # - # - Example: # - dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" # - dovecot_auth_allowed_networks="" marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" when: - main_ipv4_exists.stat.exists - dovecot_auth_service_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'dovecot_auth_service=..' is present shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv6.conf register: dovecot_auth_service_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "dovecot_auth_service_ipv6_present.rc > 1" changed_when: "dovecot_auth_service_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (dovecot_auth_service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_mail_client_ips' block: | # - (local) Dovecot auth service # - dovecot_auth_service=false # - Port listen for dovecot auth requests # - dovecot_auth_port=44444 # - Client Network(s) allowed to connect to dovecot's auth service # - # - Example: # - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7" # - dovecot_auth_allowed_networks="" marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" when: - main_ipv6_exists.stat.exists - dovecot_auth_service_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # ftp_passive_port_range # --- - name: Check if String 'ftp_passive_port_range=..' is present shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf register: ftp_passive_port_range_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_ftp_server_ips' block: | # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" when: - main_ipv4_exists.stat.exists - ftp_passive_port_range_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'ftp_passive_port_range=..' is present shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf register: ftp_passive_port_range_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_ftp_server_ips' block: | # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" when: - main_ipv6_exists.stat.exists - ftp_passive_port_range_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # XMPP Service # --- - name: Check if String 'xmpp_server_ips=..' is present shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv4.conf register: xmpp_server_ips_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "xmpp_server_ips_ipv4_present.rc > 1" changed_when: "xmpp_server_ips_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xmpp_server_ips) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*ftp_passive_port_range' block: | # - XMPP Service (Jabber - Prosody) # - xmpp_server_ips="" forward_xmpp_server_ips="" # - Ports used by XMpp (Prosody) service # - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern # - # - WebSocket (support is provided by mod_websocket) # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) # - xmmp_tcp_in_ports="5222 5223 5269" xmmp_tcp_out_ports="5269" # - XMPP Remote Dovecote Out Service # - # - Example: # - xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" # - xmmp_remote_out_services="" marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" when: - main_ipv4_exists.stat.exists - xmpp_server_ips_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'xmpp_server_ips=..' is present shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv6.conf register: xmpp_server_ips_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "xmpp_server_ips_ipv6_present.rc > 1" changed_when: "xmpp_server_ips_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xmpp_server_ips) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*ftp_passive_port_range' block: | # - XMPP Service (Jabber - Prosody) # - xmpp_server_ips="" forward_xmpp_server_ips="" # - Ports used by XMpp (Prosody) service # - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern # - # - WebSocket (support is provided by mod_websocket) # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) # - xmmp_tcp_in_ports="5222 5223 5269" xmmp_tcp_out_ports="5269" # - XMPP Remote Dovecote Out Service # - # - Example: # - xmmp_remote_out_services=" # - 2a01:4f8:221:3b4e::247,44444 # - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444 # - " # - xmmp_remote_out_services="" marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" when: - main_ipv6_exists.stat.exists - xmpp_server_ips_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # munin_remote_port # --- - name: Check if String 'munin_remote_port=..' is present shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf register: munin_remote_port_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "munin_remote_port_ipv4_present.rc > 1" changed_when: "munin_remote_port_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_munin_server_ips' block: | # - Port used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" when: - main_ipv4_exists.stat.exists - munin_remote_port_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'munin_remote_port=..' is present shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf register: munin_remote_port_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "munin_remote_port_ipv6_present.rc > 1" changed_when: "munin_remote_port_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_munin_server_ips' block: | # - Ports used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" when: - main_ipv6_exists.stat.exists - munin_remote_port_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # xymon_port # --- - name: Check if String 'xymon_port=..' is present shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf register: xymon_port_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "xymon_port_ipv4_present.rc > 1" changed_when: "xymon_port_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*local_xymon_client' block: | # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" marker: "# Marker set by modify-ipt-server.yml (xymon_port)" when: - main_ipv4_exists.stat.exists - xymon_port_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'xymon_port=..' is present shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf register: xymon_port_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "xymon_port_ipv6_present.rc > 1" changed_when: "xymon_port_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*local_xymon_client' block: | # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" marker: "# Marker set by modify-ipt-server.yml (xymon_port)" when: - main_ipv6_exists.stat.exists - xymon_port_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # mumble_ports # --- - name: Check if String 'mumble_ports=..' is present shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf register: mumble_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "mumble_ports_ipv4_present.rc > 1" changed_when: "mumble_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_mumble_server_ips' block: | # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" when: - main_ipv4_exists.stat.exists - mumble_ports_ipv4_present is changed notify: - Restart IPv4 Firewall - name: Check if String 'mumble_ports=..' is present shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf register: mumble_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "mumble_ports_ipv6_present.rc > 1" changed_when: "mumble_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_mumble_server_ips' block: | # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" when: - main_ipv6_exists.stat.exists - mumble_ports_ipv6_present is changed notify: - Restart IPv6 Firewall # --- # Remove Marker set by blockinfile # --- - name: Remove marker IPv4 replace : path: /etc/ipt-firewall/main_ipv4.conf regexp: "^# Marker set by modify-ipt-server.yml.*$" replace: "" register: marker_ipv4_removed #failed_when: "marker_ipv4_removed.rc > 1" #changed_when: "marker_ipv4_removed.rc < 1" when: - main_ipv4_exists.stat.exists - name: Remove marker IPv6 replace : path: /etc/ipt-firewall/main_ipv6.conf regexp: "^# Marker set by modify-ipt-server.yml.*$" replace: "" register: marker_ipv6_removed #failed_when: "marker_ipv6_removed.rc > 1" #changed_when: "marker_ipv6_removed.rc < 1" when: - main_ipv6_exists.stat.exists # === # Update/Modify firewall # === # --- # Host specific configuration files # --- # /etc/ipt-firewall/interfaces_ipv[4|6].conf # - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf when: not interfaces_ipv4_exists.stat.exists register: new_interfaces_ipv4 - name: Configure interfaces_ipv4.conf 1/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv4.conf regexp: '^ext_if_1=' line: 'ext_if_1="{{ item.device }}"' register: interfaces_ipv4_device loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" until: - interfaces_ipv4_device is changed when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed - item.ipv4.address is defined and item.ipv4.address|length > 0 - name: Configure interfaces_ipv4.conf 2/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv4.conf regexp: '^ext_1_ip=' line: 'ext_1_ip="{{ item.ipv4.address }}"' register: interfaces_ipv4_ip loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" until: - interfaces_ipv4_ip is changed when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed - item.ipv4.address is defined and item.ipv4.address|length > 0 - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf when: not interfaces_ipv6_exists.stat.exists register: new_interfaces_ipv6 - name: Configure interfaces_ipv6.conf 1/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv6.conf regexp: '^ext_if_1=' line: 'ext_if_1="{{ item.device }}"' register: interfaces_ipv6_device loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" until: - interfaces_ipv6_device is changed when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - name: Configure interfaces_ipv4.conf 2/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv6.conf regexp: '^ext_1_ip=' #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' line: "ext_1_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" register: interfaces_ipv6_ip loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" until: - interfaces_ipv6_ip is changed when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - item.ipv6.1.address is defined and item.ipv6.1.address|length > 0 # /etc/ipt-firewall/ban_ipv[4|6].list # - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list when: not ban_ipv4_exists.stat.exists - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list when: not ban_ipv6_exists.stat.exists # /etc/ipt-firewall/main_ipv[4|6].conf # - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf when: not main_ipv4_exists.stat.exists register: cp_main_ipv4 - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf when: not main_ipv6_exists.stat.exists register: cp_main_ipv6 # --- # Configure main_ipv4.conf # --- # - Firewall Bridged Traffic ? - name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - lxc_host) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*do_not_firewall_bridged_traffic' line: do_not_firewall_bridged_traffic=true state: present when: - inventory_hostname in groups['lxc_host'] notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - other) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*do_not_firewall_bridged_traffic' line: do_not_firewall_bridged_traffic=false state: present when: - inventory_hostname not in groups['lxc_host'] notify: - Restart IPv4 Firewall # - DNS Service - name: Configure main_ipv4.conf (dns_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*dns_server_ips' line: dns_server_ips="$ext_ips" state: present when: - "groups['dns_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - (local) Resolver - name: Configure main_ipv4.conf (local_resolver_service) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*local_resolver_service' line: local_resolver_service=true state: present when: - "groups['local_resolver']|string is search(inventory_hostname)" notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (resolver_allowed_networks) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*resolver_allowed_networks' line: resolver_allowed_networks="{{ (resolver_allowed_ipv4_networks | join(' ')) | default(omit) }}" state: present when: - "groups['local_resolver']|string is search(inventory_hostname)" notify: - Restart IPv4 Firewall # - NTP Service - name: Configure main_ipv4.conf (local_ntp_service) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*local_ntp_service' line: local_ntp_service=true state: present when: - "groups['ntp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (ntp_allowed_net) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*local_ntp_service' line: 'ntp_allowed_net="{{ ntp_allowed_ipv4_net | default(omit) }"' state: present when: - "groups['ntp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall # - SSH Service - name: Configure main_ipv4.conf (ssh_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*ssh_server_ips' line: ssh_server_ips="$ext_ips" state: present when: - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - HTTP Server - name: Configure main_ipv4.conf (http_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*http_server_ips=' line: http_server_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - Mail Client Protocols - name: Configure main_ipv4.conf (mail_client_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mail_client_ips=' line: mail_client_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - Mal Server - name: Configure main_ipv4.conf (smtpd_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*smtpd_ips=' line: smtpd_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (mail_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mail_server_ips=' line: mail_server_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - Dovecot auth service - name: Configure main_ipv4.conf (dovecot_auth_service) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*dovecot_auth_service=' line: dovecot_auth_service=true state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv4 == true - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (dovecot_auth_port) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*dovecot_auth_port=' line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv4 == true - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (dovecot_auth_allowed_networks) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*dovecot_auth_allowed_networks=' line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv4 | join(' ')) | default(omit) }}" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv4 == true - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall # - FTP Service - name: Configure main_ipv4.conf (ftp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*ftp_server_ips=' line: ftp_server_ips="$ext_1_ip" state: present when: - "groups['ftp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # - XMPP Service - name: Configure main_ipv4.conf (xmpp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*xmpp_server_ips=' line: xmpp_server_ips="$ext_1_ip" state: present when: - "groups['xmpp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed notify: - Restart IPv4 Firewall - name: Configure main_ipv4.conf (xmmp_remote_out_services) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*xmmp_remote_out_services=' line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv4 | default(omit) }}"' state: present when: - "groups['xmpp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - xmpp_has_dovecot_auth == true notify: - Restart IPv4 Firewall # - Mumble - name: Configure main_ipv4.conf (mumble_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mumble_server_ips=' line: mumble_server_ips="$ext_1_ip" state: present when: - "groups['mumble_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # --- # Configure main_ipv6.conf # --- # - Firewall Bridged Traffic ? - name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - lxc_host) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*do_not_firewall_bridged_traffic' line: do_not_firewall_bridged_traffic=true state: present when: - inventory_hostname in groups['lxc_host'] notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - other) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*do_not_firewall_bridged_traffic' line: do_not_firewall_bridged_traffic=false state: present when: - inventory_hostname not in groups['lxc_host'] notify: - Restart IPv6 Firewall # - DNS Service - name: Configure main_ipv6.conf (dns_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*dns_server_ips' line: dns_server_ips="$ext_ips" state: present when: - "groups['dns_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall # - (local) Resolver - name: Configure main_ipv6.conf (local_resolver_service) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*local_resolver_service' line: local_resolver_service=true state: present when: - "groups['local_resolver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (resolver_allowed_networks) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*resolver_allowed_networks' line: resolver_allowed_networks="{{ (resolver_allowed_ipv6_networks | join(' ')) | default(omit) }}" state: present when: - "groups['local_resolver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall # - NTP Service - name: Configure main_ipv6.conf (local_ntp_service) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*local_ntp_service' line: local_ntp_service=true state: present when: - "groups['ntp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (ntp_allowed_net) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*local_ntp_service' line: 'ntp_allowed_net="{{ ntp_allowed_ipv6_net }"' state: present when: - "groups['ntp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall #- SSH Service - name: Configure main_ipv6.conf (ssh_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*ssh_server_ips' line: ssh_server_ips="$ext_ips" state: present when: - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # - HTTP Service - name: Configure main_ipv6.conf (http_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*http_server_ips=' line: http_server_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # - Mail Client Protocolls - name: Configure main_ipv6.conf (mail_client_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mail_client_ips=' line: mail_client_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # - Mail Server - name: Configure main_ipv6.conf (smtpd_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*smtpd_ips=' line: smtpd_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (mail_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mail_server_ips=' line: mail_server_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # - Dovecot auth service - name: Configure main_ipv6.conf (dovecot_auth_service) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*dovecot_auth_service=' line: dovecot_auth_service=true state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv6 == true - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (dovecot_auth_port) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*dovecot_auth_port=' line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv6 == true - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (dovecot_auth_allowed_networks) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*dovecot_auth_allowed_networks=' line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv6 | join(' ')) | default(omit) }}" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - has_dovecot_auth_service_ipv6 == true - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed notify: - Restart IPv6 Firewall # - FTP Service - name: Configure main_ipv6.conf (ftp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*ftp_server_ips=' line: ftp_server_ips="$ext_1_ip" state: present when: - "groups['ftp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # - XMPP Service - name: Configure main_ipv6.conf (xmpp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*xmpp_server_ips=' line: xmpp_server_ips="$ext_1_ip" state: present when: - "groups['xmpp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - xmpp_has_dovecot_auth == true notify: - Restart IPv6 Firewall - name: Configure main_ipv6.conf (xmmp_remote_out_services) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*xmmp_remote_out_services=' line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv6 | default(omit) }}"' state: present when: - "groups['xmpp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - xmpp_has_dovecot_auth == true notify: - Restart IPv6 Firewall # - Munmble Service - name: Configure main_ipv6.conf (mumble_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mumble_server_ips=' line: mumble_server_ips="$ext_1_ip" state: present when: - "groups['mumble_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # --- # Host independet configuration files # --- - name: Check if common configuration files are latest shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' changed_when: "diff_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - default_ports.conf - post_decalrations.conf register: diff_output - name: Ensure common configuration files are latest command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} loop: - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - default_ports.conf - post_decalrations.conf when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall # --- # Firewall scripts # --- - name: Check if firewall scripts are latest shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' changed_when: "diff_script_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_script_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - ipt-firewall-server - ip6t-firewall-server register: diff_script_output - name: Ensure firewall scripts are latest command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} loop: - ipt-firewall-server - ip6t-firewall-server when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_script_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall # --- # Install systemd service files ip[6]t-firewall.service # --- - name: Configure firewall systemd service files template: src: etc/systemd/system/{{ item }}-firewall.service.j2 dest: /etc/systemd/system/{{ item }}-firewall.service register: systemd_service_files_installed with_items: - ipt - ip6t - name: Enable firewall services IPv4 systemd: name: ipt-firewall state: stopped enabled: yes daemon_reload: yes when: systemd_service_files_installed is changed register: firewall_service_started - name: Enable firewall services IPv6 systemd: name: ip6t-firewall state: stopped enabled: yes daemon_reload: yes when: systemd_service_files_installed is changed register: firewall_service_started - meta: end_host when: firewall_service_started is changed # --- # Delete unused files # --- - name: Delete file /etc/ipt-firewall/ports.conf file: path: /etc/ipt-firewall/ports.conf state: absent when: systemd_service_files_installed is changed