lab-ansible/roles/vm-common/tasks/firewall.yml

78 lines
2 KiB
YAML
Raw Normal View History

2023-10-28 23:00:05 +00:00
# vim: ft=yaml.ansible
2023-10-29 19:46:52 +00:00
# code: language=ansible
2023-10-28 23:00:05 +00:00
---
2023-11-12 17:22:08 +00:00
- name: General firewall rules
notify: Reload firewalld
block:
- name: Move main LAN and VPN networks to zone 'drop'
ansible.posix.firewalld:
zone: drop
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.1.0/24
- 192.168.8.0/24
2023-11-11 20:09:17 +00:00
2023-11-12 17:22:08 +00:00
- name: Move lab network to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: 192.168.17.0/24
permanent: true
state: enabled
2023-11-12 17:22:08 +00:00
- name: Move internal network to zone 'internal'
ansible.posix.firewalld:
zone: internal
source: 10.2.0.0/16
permanent: true
state: enabled
2023-11-11 20:09:17 +00:00
2023-11-12 17:22:08 +00:00
- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
ansible.posix.firewalld:
zone: "{{ item }}"
service: ssh
permanent: true
state: disabled
loop:
- dmz
- internal
2023-11-12 17:22:08 +00:00
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'drop'
ansible.posix.firewalld:
zone: drop
service: ssh
permanent: true
state: enabled
2023-11-11 20:09:17 +00:00
2023-11-12 17:22:08 +00:00
# When sapt-labx-ctl01 is deployed
# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
# ansible.posix.firewalld:
# zone: dmz
# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
# service: ssh
# permanent: true
# state: enabled
- name: Firewall rules for production and staging
loop:
- prod
- stage
loop_control:
loop_var: env
2023-11-12 17:22:08 +00:00
notify: Reload firewalld
block:
2023-11-12 17:18:56 +00:00
- name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
ansible.posix.firewalld:
zone: internal
source: "{{ hostvars[item].internal_ipv4 }}"
2023-11-11 20:09:17 +00:00
service: postgresql
permanent: true
state: enabled
loop: "{{ groups['app_' + env] }}"
when: hostname in groups['db_' + env]
2023-11-12 17:18:56 +00:00
- name: Flush handlers
ansible.builtin.meta: flush_handlers