diff --git a/server-firewall-setup.yml b/server-firewall-setup.yml index 4e461a8..696748e 100644 --- a/server-firewall-setup.yml +++ b/server-firewall-setup.yml @@ -1,6 +1,19 @@ - hosts: localhost become: 'yes' tasks: + + - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt + become: yes + template: + src: root_resources/etc/doas.conf + dest: "/etc/doas.conf" + - name: Temporarily disable doas pass prompt as doas persist does not work within scripts + become: yes + replace: + path: /etc/doas.conf + regexp: 'persist' + replace: 'nopass' + # Telnet/SSH Configuration - name: Accept inbound SSH only on internal network ansible.builtin.iptables: @@ -127,155 +140,43 @@ protocol: udp destination_port: "{{ proxy_server_vpn_port }}" jump: ACCEPT - - # Docker - - name: Accept inbound HTTPS only from Github Container Registry + + # Cockpit Configuration + - name: Accept inbound Cockpit traffic only from proxy server ansible.builtin.iptables: chain: INPUT - protocol: tcp - source: 140.82.121.34 - destination_port: 443 + protocol: tcp + source: "{{ proxy_server_ip }}" + destination_port: 9090 jump: ACCEPT - - name: Allow outbound HTTPS only to Github Container Registry + - name: Accept inbound Cockpit traffic only from proxy server on wireguard assigned IP + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + source: 10.0.0.1 + destination_port: 9090 + jump: ACCEPT + - name: Accept outbound cockpit traffic only to proxy server ansible.builtin.iptables: chain: OUTPUT protocol: tcp - destination: 140.82.121.34 - destination_port: 443 + destination: "{{ proxy_server_ip }}" + destination_port: 9090 + jump: ACCEPT + - name: Accept outbound cockpit traffic only to proxy server on wireguard assigned IP + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + destination: 10.0.0.1 + destination_port: 9090 jump: ACCEPT - # SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers) - # # Mail Service - # - name: Allow source (Inbound) local network traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # - name: Allow source (Inbound) proxy server traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # - name: Deny any other traffic on Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: "{{ item }}" - # jump: DROP - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # # Invidious Service - # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: 192.168.1.0/24 - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - # - name: Deny any other traffic on Invidious port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: 3000 - # jump: DROP - # - # # Minecraft Service - # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: 192.168.1.0/24 - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - # - name: Deny any other traffic on Minecraft port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: 25565 - # jump: DROP - + - name: Reset doas configuration back to default + become: yes + template: + src: root_resources/etc/doas.conf + dest: "/etc/doas.conf" + - name: Debug Finish message debug: msg: Ansible playbook has finished! diff --git a/server-setup.yml b/server-setup.yml index 6638356..dea4a3b 100644 --- a/server-setup.yml +++ b/server-setup.yml @@ -47,6 +47,19 @@ - oathtool available_servicedirs: [] tasks: + + - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt + become: yes + template: + src: root_resources/etc/doas.conf + dest: "/etc/doas.conf" + - name: Temporarily disable doas pass prompt as doas persist does not work within scripts + become: yes + replace: + path: /etc/doas.conf + regexp: 'persist' + replace: 'nopass' + # System Setup - name: Ensure .bashrc is updated template: @@ -175,12 +188,6 @@ groups: wheel,libvirt append: yes - - name: "Ensure doas is configured correctly" - become: yes - template: - src: root_resources/etc/doas.conf - dest: "/etc/doas.conf" - # Services directory - where VM's etc are stored - name: Directory permissions for Service folder # (Directory should already exist via ZFS!) become: yes @@ -231,7 +238,13 @@ owner: "{{ admin_user_name }}" group: root mode: '1700' - + + - name: Reset doas configuration back to default + become: yes + template: + src: root_resources/etc/doas.conf + dest: "/etc/doas.conf" + # End - name: Debug Finish message debug: