From 5f718e1027f5da425f6205221d705bd1c731a196 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 10 Nov 2022 21:48:24 +0100 Subject: [PATCH 1/3] Add firewall setup with UFW --- roles/ubuntu_base/tasks/base.yml | 1 + roles/ubuntu_base/tasks/firewall.yml | 20 ++++++++++++++++++++ roles/ubuntu_base/tasks/main.yml | 2 ++ 3 files changed, 23 insertions(+) create mode 100644 roles/ubuntu_base/tasks/firewall.yml diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 257352b..f4ed43f 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -9,6 +9,7 @@ - apparmor - haveged - mosh + - ufw - srvadmin-all # Dell OpenManage - name: Install necessary packages via pip diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml new file mode 100644 index 0000000..bd40c93 --- /dev/null +++ b/roles/ubuntu_base/tasks/firewall.yml @@ -0,0 +1,20 @@ +--- +- name: Setup firewall with UFW + community.general.ufw: + state: enabled + policy: deny +- name: Allow necessary ports + community.general.ufw: + rule: allow + port: "{{ item }}" + loop: + - 22 # Gitea SSH + - 80 # HTTP + - 443 # HTTPS + - 389 # OpenLDAP + - 636 # OpenLDAP + - 25 # Email + - 465 # Email + - 587 # Email + - 993 # Email + - 19022 # SSH diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index d6d34a4..dddc508 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -7,4 +7,6 @@ tags: [install-base-packages] - import_tasks: users.yml tags: [setup-users] +- import_tasks: firewall.yml + tags: [setup-firewall] From d597a956ffd8500f3ce685976ce44be201fcafc0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 10 Nov 2022 22:03:49 +0100 Subject: [PATCH 2/3] Add installation of community modules to deploy.sh --- deploy.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deploy.sh b/deploy.sh index 2a36b0e..70095a1 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,6 +2,11 @@ BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" +if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then + echo "Installing community modules" + ansible-galaxy collection install community.general +fi + if [ -z "$1" ]; then echo "Deploying all!" $BASE_CMD From 58dbf9ff229c6c854d50e68178f88d547df5ef90 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 15 Nov 2022 20:42:18 +0100 Subject: [PATCH 3/3] Allow only TCP traffic on specified ports --- roles/ubuntu_base/tasks/firewall.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml index bd40c93..f431865 100644 --- a/roles/ubuntu_base/tasks/firewall.yml +++ b/roles/ubuntu_base/tasks/firewall.yml @@ -8,13 +8,13 @@ rule: allow port: "{{ item }}" loop: - - 22 # Gitea SSH - - 80 # HTTP - - 443 # HTTPS - - 389 # OpenLDAP - - 636 # OpenLDAP - - 25 # Email - - 465 # Email - - 587 # Email - - 993 # Email - - 19022 # SSH + - "22/tcp" # Gitea SSH + - "80/tcp" # HTTP + - "443/tcp" # HTTPS + - "389/tcp" # OpenLDAP + - "636/tcp" # OpenLDAP + - "25/tcp" # Email + - "465/tcp" # Email + - "587/tcp" # Email + - "993/tcp" # Email + - "19022/tcp" # SSH