chris
9798ca9cd6
- Created handlers for reloading systemd and restarting firewall services. - Implemented tasks to ensure the existence of configuration directories and files. - Deployed host-specific and shared configuration files using templates. - Added scripts for managing IPv4 and IPv6 firewalls. - Configured systemd service units for ipt-firewall and ip6t-firewall. - Enabled and started firewall services on system boot.
216 lines
4.9 KiB
YAML
216 lines
4.9 KiB
YAML
---
|
|
|
|
# ===
|
|
# Ensure /etc/ipt-firewall directory exists
|
|
# ===
|
|
|
|
- name: Create /etc/ipt-firewall if not present
|
|
file:
|
|
path: /etc/ipt-firewall
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0750"
|
|
|
|
|
|
# ===
|
|
# Check presence of host-specific config files
|
|
# ===
|
|
|
|
- name: Check if interfaces_ipv4.conf exists
|
|
stat:
|
|
path: /etc/ipt-firewall/interfaces_ipv4.conf
|
|
register: interfaces_ipv4_exists
|
|
|
|
- name: Check if interfaces_ipv6.conf exists
|
|
stat:
|
|
path: /etc/ipt-firewall/interfaces_ipv6.conf
|
|
register: interfaces_ipv6_exists
|
|
|
|
- name: Check if main_ipv4.conf exists
|
|
stat:
|
|
path: /etc/ipt-firewall/main_ipv4.conf
|
|
register: main_ipv4_exists
|
|
|
|
- name: Check if main_ipv6.conf exists
|
|
stat:
|
|
path: /etc/ipt-firewall/main_ipv6.conf
|
|
register: main_ipv6_exists
|
|
|
|
|
|
# ===
|
|
# Deploy host-specific config files from templates.
|
|
#
|
|
# Safety guard: by default (fw_manage_config: false) a file is only written
|
|
# when it does not yet exist on the host — so existing hosts are never touched
|
|
# accidentally.
|
|
#
|
|
# Once a host has been migrated (host_vars populated and diff verified), set
|
|
# fw_manage_config: true
|
|
# in its host_vars. From that point on Ansible is the authoritative source and
|
|
# will update the config on every run, triggering a firewall restart on changes.
|
|
# ===
|
|
|
|
- name: Deploy interfaces_ipv4.conf from template
|
|
template:
|
|
src: etc/ipt-firewall/interfaces_ipv4.conf.j2
|
|
dest: /etc/ipt-firewall/interfaces_ipv4.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
|
|
notify:
|
|
- Restart IPv4 Firewall
|
|
|
|
- name: Deploy interfaces_ipv6.conf from template
|
|
template:
|
|
src: etc/ipt-firewall/interfaces_ipv6.conf.j2
|
|
dest: /etc/ipt-firewall/interfaces_ipv6.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
|
|
notify:
|
|
- Restart IPv6 Firewall
|
|
|
|
- name: Deploy main_ipv4.conf from template
|
|
template:
|
|
src: etc/ipt-firewall/main_ipv4.conf.j2
|
|
dest: /etc/ipt-firewall/main_ipv4.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: fw_manage_config or not main_ipv4_exists.stat.exists
|
|
notify:
|
|
- Restart IPv4 Firewall
|
|
|
|
- name: Deploy main_ipv6.conf from template
|
|
template:
|
|
src: etc/ipt-firewall/main_ipv6.conf.j2
|
|
dest: /etc/ipt-firewall/main_ipv6.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: fw_manage_config or not main_ipv6_exists.stat.exists
|
|
notify:
|
|
- Restart IPv6 Firewall
|
|
|
|
|
|
# ===
|
|
# Firewall scripts
|
|
# ===
|
|
|
|
- name: Deploy ipt-firewall-server
|
|
copy:
|
|
src: usr/local/sbin/ipt-firewall-server
|
|
dest: /usr/local/sbin/ipt-firewall-server
|
|
owner: root
|
|
group: root
|
|
mode: "0750"
|
|
|
|
- name: Deploy ip6t-firewall-server
|
|
copy:
|
|
src: usr/local/sbin/ip6t-firewall-server
|
|
dest: /usr/local/sbin/ip6t-firewall-server
|
|
owner: root
|
|
group: root
|
|
mode: "0750"
|
|
|
|
|
|
# ===
|
|
# Shared conf files (not host-specific — always kept in sync with the role)
|
|
# ===
|
|
|
|
- name: Deploy shared conf files
|
|
copy:
|
|
src: "etc/ipt-firewall/{{ item }}"
|
|
dest: "/etc/ipt-firewall/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
loop:
|
|
- default_settings.conf
|
|
- include_functions.conf
|
|
- logging_ipv4.conf
|
|
- logging_ipv6.conf
|
|
- post_declarations.conf
|
|
|
|
|
|
# ===
|
|
# Ban lists — copy from sample once; the file can be customised per host.
|
|
# ===
|
|
|
|
- name: Check if ban_ipv4.list exists
|
|
stat:
|
|
path: /etc/ipt-firewall/ban_ipv4.list
|
|
register: ban_ipv4_exists
|
|
|
|
- name: Copy ban_ipv4.list from sample (first install only)
|
|
copy:
|
|
src: etc/ipt-firewall/ban_ipv4.list.sample
|
|
dest: /etc/ipt-firewall/ban_ipv4.list
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: not ban_ipv4_exists.stat.exists
|
|
|
|
- name: Check if ban_ipv6.list exists
|
|
stat:
|
|
path: /etc/ipt-firewall/ban_ipv6.list
|
|
register: ban_ipv6_exists
|
|
|
|
- name: Copy ban_ipv6.list from sample (first install only)
|
|
copy:
|
|
src: etc/ipt-firewall/ban_ipv6.list.sample
|
|
dest: /etc/ipt-firewall/ban_ipv6.list
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
when: not ban_ipv6_exists.stat.exists
|
|
|
|
|
|
# ===
|
|
# Systemd service units
|
|
# ===
|
|
|
|
- name: Deploy ipt-firewall.service
|
|
copy:
|
|
src: etc/systemd/system/ipt-firewall.service
|
|
dest: /etc/systemd/system/ipt-firewall.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify:
|
|
- Reload systemd daemon
|
|
- Restart IPv4 Firewall
|
|
|
|
- name: Deploy ip6t-firewall.service
|
|
copy:
|
|
src: etc/systemd/system/ip6t-firewall.service
|
|
dest: /etc/systemd/system/ip6t-firewall.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify:
|
|
- Reload systemd daemon
|
|
- Restart IPv6 Firewall
|
|
|
|
|
|
# ===
|
|
# Enable and start services
|
|
# ===
|
|
|
|
- name: Enable and start ipt-firewall
|
|
systemd:
|
|
name: ipt-firewall
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
|
|
- name: Enable and start ip6t-firewall
|
|
systemd:
|
|
name: ip6t-firewall
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|