cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up firewall configuration, add cockpit to firewall rules

This commit is contained in:
Curt Spark 2024-02-22 22:44:39 +00:00
parent 13491fa3c8
commit 2d41fdecae
2 changed files with 62 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
server-firewall-setup.yml
View File

@ -1,6 +1,19 @@
- hosts: localhost - hosts: localhost
become: 'yes' become: 'yes'
tasks: tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# Telnet/SSH Configuration # Telnet/SSH Configuration
- name: Accept inbound SSH only on internal network - name: Accept inbound SSH only on internal network
ansible.builtin.iptables: ansible.builtin.iptables:
@ -127,155 +140,43 @@
protocol: udp protocol: udp
destination_port: "{{ proxy_server_vpn_port }}" destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT jump: ACCEPT
# Docker # Cockpit Configuration
- name: Accept inbound HTTPS only from Github Container Registry - name: Accept inbound Cockpit traffic only from proxy server
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
source: 140.82.121.34 source: "{{ proxy_server_ip }}"
destination_port: 443 destination_port: 9090
jump: ACCEPT jump: ACCEPT
- name: Allow outbound HTTPS only to Github Container Registry - name: Accept inbound Cockpit traffic only from proxy server on wireguard assigned IP
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 10.0.0.1
destination_port: 9090
jump: ACCEPT
- name: Accept outbound cockpit traffic only to proxy server
ansible.builtin.iptables: ansible.builtin.iptables:
chain: OUTPUT chain: OUTPUT
protocol: tcp protocol: tcp
destination: 140.82.121.34 destination: "{{ proxy_server_ip }}"
destination_port: 443 destination_port: 9090
jump: ACCEPT
- name: Accept outbound cockpit traffic only to proxy server on wireguard assigned IP
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 10.0.0.1
destination_port: 9090
jump: ACCEPT jump: ACCEPT
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers) - name: Reset doas configuration back to default
# # Mail Service become: yes
# - name: Allow source (Inbound) local network traffic to the Mail service ports template:
# ansible.builtin.iptables: src: root_resources/etc/doas.conf
# chain: DOCKER-USER dest: "/etc/doas.conf"
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Deny any other traffic on Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: "{{ item }}"
# jump: DROP
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# # Invidious Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Deny any other traffic on Invidious port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 3000
# jump: DROP
#
# # Minecraft Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Deny any other traffic on Minecraft port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 25565
# jump: DROP
- name: Debug Finish message - name: Debug Finish message
debug: debug:
msg: Ansible playbook has finished! msg: Ansible playbook has finished!

27
server-setup.yml
View File

@ -47,6 +47,19 @@
- oathtool - oathtool
available_servicedirs: [] available_servicedirs: []
tasks: tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# System Setup # System Setup
- name: Ensure .bashrc is updated - name: Ensure .bashrc is updated
template: template:
@ -175,12 +188,6 @@
groups: wheel,libvirt groups: wheel,libvirt
append: yes append: yes
- name: "Ensure doas is configured correctly"
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# Services directory - where VM's etc are stored # Services directory - where VM's etc are stored
- name: Directory permissions for Service folder # (Directory should already exist via ZFS!) - name: Directory permissions for Service folder # (Directory should already exist via ZFS!)
become: yes become: yes
@ -231,7 +238,13 @@
owner: "{{ admin_user_name }}" owner: "{{ admin_user_name }}"
group: root group: root
mode: '1700' mode: '1700'
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# End # End
- name: Debug Finish message - name: Debug Finish message
debug: debug: