diff --git a/deploy.sh b/deploy.sh index 2a36b0e..70095a1 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,6 +2,11 @@ BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" +if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then + echo "Installing community modules" + ansible-galaxy collection install community.general +fi + if [ -z "$1" ]; then echo "Deploying all!" $BASE_CMD diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 257352b..f4ed43f 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -9,6 +9,7 @@ - apparmor - haveged - mosh + - ufw - srvadmin-all # Dell OpenManage - name: Install necessary packages via pip diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml new file mode 100644 index 0000000..f431865 --- /dev/null +++ b/roles/ubuntu_base/tasks/firewall.yml @@ -0,0 +1,20 @@ +--- +- name: Setup firewall with UFW + community.general.ufw: + state: enabled + policy: deny +- name: Allow necessary ports + community.general.ufw: + rule: allow + port: "{{ item }}" + loop: + - "22/tcp" # Gitea SSH + - "80/tcp" # HTTP + - "443/tcp" # HTTPS + - "389/tcp" # OpenLDAP + - "636/tcp" # OpenLDAP + - "25/tcp" # Email + - "465/tcp" # Email + - "587/tcp" # Email + - "993/tcp" # Email + - "19022/tcp" # SSH diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index d6d34a4..dddc508 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -7,4 +7,6 @@ tags: [install-base-packages] - import_tasks: users.yml tags: [setup-users] +- import_tasks: firewall.yml + tags: [setup-firewall]