cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up firewall configuration, add cockpit to firewall rules

This commit is contained in:
Curt Spark 2024-02-22 22:44:39 +00:00
parent 13491fa3c8
commit 2d41fdecae
2 changed files with 62 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
server-firewall-setup.yml
View File

@ -1,6 +1,19 @@
- hosts: localhost
become: 'yes'
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# Telnet/SSH Configuration
- name: Accept inbound SSH only on internal network
ansible.builtin.iptables:
@ -127,155 +140,43 @@
protocol: udp
destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT
# Docker
- name: Accept inbound HTTPS only from Github Container Registry
# Cockpit Configuration
- name: Accept inbound Cockpit traffic only from proxy server
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 140.82.121.34
destination_port: 443
protocol: tcp
source: "{{ proxy_server_ip }}"
destination_port: 9090
jump: ACCEPT
- name: Allow outbound HTTPS only to Github Container Registry
- name: Accept inbound Cockpit traffic only from proxy server on wireguard assigned IP
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 10.0.0.1
destination_port: 9090
jump: ACCEPT
- name: Accept outbound cockpit traffic only to proxy server
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 140.82.121.34
destination_port: 443
destination: "{{ proxy_server_ip }}"
destination_port: 9090
jump: ACCEPT
- name: Accept outbound cockpit traffic only to proxy server on wireguard assigned IP
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 10.0.0.1
destination_port: 9090
jump: ACCEPT
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers)
# # Mail Service
# - name: Allow source (Inbound) local network traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Deny any other traffic on Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: "{{ item }}"
# jump: DROP
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# # Invidious Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Deny any other traffic on Invidious port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 3000
# jump: DROP
#
# # Minecraft Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Deny any other traffic on Minecraft port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 25565
# jump: DROP
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

27
server-setup.yml
View File

@ -47,6 +47,19 @@
- oathtool
available_servicedirs: []
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# System Setup
- name: Ensure .bashrc is updated
template:
@ -175,12 +188,6 @@
groups: wheel,libvirt
append: yes
- name: "Ensure doas is configured correctly"
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# Services directory - where VM's etc are stored
- name: Directory permissions for Service folder # (Directory should already exist via ZFS!)
become: yes
@ -231,7 +238,13 @@
owner: "{{ admin_user_name }}"
group: root
mode: '1700'
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# End
- name: Debug Finish message
debug: