From 7a4818592fa5bccd71044a22deed622bf2b33916 Mon Sep 17 00:00:00 2001 From: cspark Date: Mon, 18 Mar 2024 10:50:19 +0000 Subject: [PATCH] Prox server playbooks reconfiguration --- .gitignore | 2 - ...etup.yml => prox-server-firewall-setup.yml | 64 ++----------------- ...rate.yml => prox-server-hosts-generate.yml | 8 --- ...-server-setup.yml => prox-server-setup.yml | 12 ++-- 4 files changed, 9 insertions(+), 77 deletions(-) rename ansible_resources/prox-server-firewall-setup.yml => prox-server-firewall-setup.yml (56%) rename prox-server-ansible-playbooks-generate.yml => prox-server-hosts-generate.yml (51%) rename ansible_resources/prox-server-setup.yml => prox-server-setup.yml (95%) diff --git a/.gitignore b/.gitignore index 124a171..87790c3 100755 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,6 @@ **/*.enc newkey_out hosts -prox-server-firewall-setup.yml -prox-server-setup.yml prox-deploy-service.yml !**/ansible_resources/* diff --git a/ansible_resources/prox-server-firewall-setup.yml b/prox-server-firewall-setup.yml similarity index 56% rename from ansible_resources/prox-server-firewall-setup.yml rename to prox-server-firewall-setup.yml index 7d95319..13410f1 100755 --- a/ansible_resources/prox-server-firewall-setup.yml +++ b/prox-server-firewall-setup.yml @@ -1,8 +1,6 @@ -# {{ ansible_managed }} - - hosts: - - {{ proxy_server_hostname }} - - {{ proxy_server_hostname }}-defaultport + - "{{ proxy_server_hostname }}" + - "{{ proxy_server_hostname }}-defaultport" become: 'yes' ignore_errors: true tasks: @@ -68,68 +66,14 @@ - name: Block known attacker IP's ansible.builtin.iptables: - chain: "{{ '{{' }} item.chain {{ '}}' }}" - source: "{{ '{{' }} item.source {{ '}}' }}" + chain: "{{ item.chain }}" + source: "{{ item.source }}" jump: DROP loop: - { chain: INPUT, source: 46.148.40.0/24 } # IP targetting mailserver - { chain: OUTPUT, source: 46.148.40.0/24 } - { chain: FORWARD, source: 46.148.40.0/24 } - # # These rules currently kind of obsolete - # # NGinx Service - # - name: Allow inbound HTTPS web traffic - # ansible.builtin.iptables: - # chain: INPUT - # protocol: tcp - # destination_port: 443 - # jump: ACCEPT - # - name: Allow outbound HTTPS web traffic - # ansible.builtin.iptables: - # chain: OUTPUT - # protocol: tcp - # destination_port: 443 - # jump: ACCEPT - # - name: Allow inbound HTTP web traffic - # ansible.builtin.iptables: - # chain: INPUT - # protocol: tcp - # destination_port: 80 - # jump: ACCEPT - # - name: Allow outbound HTTP web traffic - # ansible.builtin.iptables: - # chain: OUTPUT - # protocol: tcp - # destination_port: 80 - # - # # Invidious Service - # - name: Allow inbound network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: INPUT - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - name: Allow outbound network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: OUTPUT - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - # # Minecraft Service - # - name: Allow inbound local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: INPUT - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - name: Allow outbound local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: OUTPUT - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - - name: Reset doas configuration back to default become: yes template: diff --git a/prox-server-ansible-playbooks-generate.yml b/prox-server-hosts-generate.yml similarity index 51% rename from prox-server-ansible-playbooks-generate.yml rename to prox-server-hosts-generate.yml index 3656e6f..775c8b0 100755 --- a/prox-server-ansible-playbooks-generate.yml +++ b/prox-server-hosts-generate.yml @@ -5,14 +5,6 @@ src: "ansible_resources/hosts" dest: "hosts" mode: '0777' - - name: Generate proxy server playbooks - template: - src: "ansible_resources/{{ item }}" - dest: "{{ item }}" - mode: '0777' - loop: - - prox-server-setup.yml - - prox-server-firewall-setup.yml - name: Debug Finish message debug: msg: Ansible playbook has finished! diff --git a/ansible_resources/prox-server-setup.yml b/prox-server-setup.yml similarity index 95% rename from ansible_resources/prox-server-setup.yml rename to prox-server-setup.yml index eaaaed6..e4d0e80 100755 --- a/ansible_resources/prox-server-setup.yml +++ b/prox-server-setup.yml @@ -1,8 +1,6 @@ -# {{ ansible_managed }} - - hosts: - - {{ proxy_server_hostname }} - # - {{ proxy_server_hostname }}-defaultport + - "{{ proxy_server_hostname }}" + # - "{{ proxy_server_hostname }}"-defaultport become: 'yes' ignore_errors: true vars: @@ -59,7 +57,7 @@ replace: '\1 contrib' - name: Ensure list of packages is installed apt: - name: '{{ "{{" }} packages {{ "}}" }}' + name: '{{ packages }}' state: present # SSH Server Setup - name: Enable SSH @@ -103,8 +101,8 @@ dest: "/etc/nginx/sites-available/git.{{ domain_name }}" - name: Enable the reverse proxy git domain config ansible.builtin.file: - src: /etc/nginx/sites-available/git.{{ domain_name }} - dest: /etc/nginx/sites-enabled/git.{{ domain_name }} + src: "/etc/nginx/sites-available/git.{{ domain_name }}" + dest: "/etc/nginx/sites-enabled/git.{{ domain_name }}" state: link # TODO : Overhaul all of this to use loops instead