Prox server playbooks reconfiguration
This commit is contained in:
cspark
parent
04ef639f55
commit
7a4818592f
|
|
@ -1,8 +1,6 @@
|
||||||
**/*.enc
|
**/*.enc
|
||||||
newkey_out
|
newkey_out
|
||||||
hosts
|
hosts
|
||||||
prox-server-firewall-setup.yml
|
|
||||||
prox-server-setup.yml
|
|
||||||
prox-deploy-service.yml
|
prox-deploy-service.yml
|
||||||
|
|
||||||
!**/ansible_resources/*
|
!**/ansible_resources/*
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
- {{ proxy_server_hostname }}
|
- "{{ proxy_server_hostname }}"
|
||||||
- {{ proxy_server_hostname }}-defaultport
|
- "{{ proxy_server_hostname }}-defaultport"
|
||||||
become: 'yes'
|
become: 'yes'
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
tasks:
|
tasks:
|
||||||
|
|
@ -68,68 +66,14 @@
|
||||||
|
|
||||||
- name: Block known attacker IP's
|
- name: Block known attacker IP's
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: "{{ '{{' }} item.chain {{ '}}' }}"
|
chain: "{{ item.chain }}"
|
||||||
source: "{{ '{{' }} item.source {{ '}}' }}"
|
source: "{{ item.source }}"
|
||||||
jump: DROP
|
jump: DROP
|
||||||
loop:
|
loop:
|
||||||
- { chain: INPUT, source: 46.148.40.0/24 } # IP targetting mailserver
|
- { chain: INPUT, source: 46.148.40.0/24 } # IP targetting mailserver
|
||||||
- { chain: OUTPUT, source: 46.148.40.0/24 }
|
- { chain: OUTPUT, source: 46.148.40.0/24 }
|
||||||
- { chain: FORWARD, source: 46.148.40.0/24 }
|
- { chain: FORWARD, source: 46.148.40.0/24 }
|
||||||
|
|
||||||
# # These rules currently kind of obsolete
|
|
||||||
# # NGinx Service
|
|
||||||
# - name: Allow inbound HTTPS web traffic
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: INPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 443
|
|
||||||
# jump: ACCEPT
|
|
||||||
# - name: Allow outbound HTTPS web traffic
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: OUTPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 443
|
|
||||||
# jump: ACCEPT
|
|
||||||
# - name: Allow inbound HTTP web traffic
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: INPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 80
|
|
||||||
# jump: ACCEPT
|
|
||||||
# - name: Allow outbound HTTP web traffic
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: OUTPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 80
|
|
||||||
#
|
|
||||||
# # Invidious Service
|
|
||||||
# - name: Allow inbound network traffic to the Invidious service only on service port 3000
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: INPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 3000
|
|
||||||
# jump: ACCEPT
|
|
||||||
# - name: Allow outbound network traffic to the Invidious service only on service port 3000
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: OUTPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 3000
|
|
||||||
# jump: ACCEPT
|
|
||||||
#
|
|
||||||
# # Minecraft Service
|
|
||||||
# - name: Allow inbound local network traffic to the Invidious service only on service port 25565
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: INPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 25565
|
|
||||||
# jump: ACCEPT
|
|
||||||
# - name: Allow outbound local network traffic to the Invidious service only on service port 25565
|
|
||||||
# ansible.builtin.iptables:
|
|
||||||
# chain: OUTPUT
|
|
||||||
# protocol: tcp
|
|
||||||
# destination_port: 25565
|
|
||||||
# jump: ACCEPT
|
|
||||||
|
|
||||||
- name: Reset doas configuration back to default
|
- name: Reset doas configuration back to default
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
template:
|
||||||
|
|
@ -5,14 +5,6 @@
|
||||||
src: "ansible_resources/hosts"
|
src: "ansible_resources/hosts"
|
||||||
dest: "hosts"
|
dest: "hosts"
|
||||||
mode: '0777'
|
mode: '0777'
|
||||||
- name: Generate proxy server playbooks
|
|
||||||
template:
|
|
||||||
src: "ansible_resources/{{ item }}"
|
|
||||||
dest: "{{ item }}"
|
|
||||||
mode: '0777'
|
|
||||||
loop:
|
|
||||||
- prox-server-setup.yml
|
|
||||||
- prox-server-firewall-setup.yml
|
|
||||||
- name: Debug Finish message
|
- name: Debug Finish message
|
||||||
debug:
|
debug:
|
||||||
msg: Ansible playbook has finished!
|
msg: Ansible playbook has finished!
|
||||||
|
|
@ -1,8 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
- {{ proxy_server_hostname }}
|
- "{{ proxy_server_hostname }}"
|
||||||
# - {{ proxy_server_hostname }}-defaultport
|
# - "{{ proxy_server_hostname }}"-defaultport
|
||||||
become: 'yes'
|
become: 'yes'
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
vars:
|
vars:
|
||||||
|
|
@ -59,7 +57,7 @@
|
||||||
replace: '\1 contrib'
|
replace: '\1 contrib'
|
||||||
- name: Ensure list of packages is installed
|
- name: Ensure list of packages is installed
|
||||||
apt:
|
apt:
|
||||||
name: '{{ "{{" }} packages {{ "}}" }}'
|
name: '{{ packages }}'
|
||||||
state: present
|
state: present
|
||||||
# SSH Server Setup
|
# SSH Server Setup
|
||||||
- name: Enable SSH
|
- name: Enable SSH
|
||||||
|
|
@ -103,8 +101,8 @@
|
||||||
dest: "/etc/nginx/sites-available/git.{{ domain_name }}"
|
dest: "/etc/nginx/sites-available/git.{{ domain_name }}"
|
||||||
- name: Enable the reverse proxy git domain config
|
- name: Enable the reverse proxy git domain config
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
src: /etc/nginx/sites-available/git.{{ domain_name }}
|
src: "/etc/nginx/sites-available/git.{{ domain_name }}"
|
||||||
dest: /etc/nginx/sites-enabled/git.{{ domain_name }}
|
dest: "/etc/nginx/sites-enabled/git.{{ domain_name }}"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
# TODO : Overhaul all of this to use loops instead
|
# TODO : Overhaul all of this to use loops instead
|
||||||
Loading…
Reference in New Issue