samsapti/lab-ansible
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: samsapti:2d9eb03b66ab829f49c47ad567f1ce8dbb006816
Branches Tags
samsapti:main
..
compare: samsapti:e75a5364df3739f6446dc84942f201aff022ebfd
Branches Tags
samsapti:main

No commits in common. "2d9eb03b66ab829f49c47ad567f1ce8dbb006816" and "e75a5364df3739f6446dc84942f201aff022ebfd" have entirely different histories.
2d9eb03b66 ... e75a5364df

2 changed files with 64 additions and 10 deletions
Show stats Expand all files Collapse all files

66
roles/virt-common/tasks/firewall.yml
View file

@ -4,13 +4,35 @@
- name: General firewall rules - name: General firewall rules
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Move LAN networks to zone 'dmz' - name: Move Guest LAN and and IoT LAN networks to zone 'drop'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: drop
source: 192.168.0.0/16 source: "{{ item }}"
permanent: true permanent: true
state: enabled state: enabled
loop: loop:
- 192.168.2.0/24
- 192.168.4.0/24
- name: Move Home LAN and VPN networks to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.1.0/24
- 192.168.8.0/24
- name: Move Secure LAN and Lab LAN networks to zone 'public'
ansible.posix.firewalld:
zone: public
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.17.0/24
- 192.168.23.0/24
- name: Move internal network to zone 'internal' - name: Move internal network to zone 'internal'
ansible.posix.firewalld: ansible.posix.firewalld:
@ -19,12 +41,19 @@
permanent: true permanent: true
state: enabled state: enabled
- name: Deny incoming connections to SSH port in default zone - name: Default deny incoming connections to SSH port in all zones
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}"
service: ssh service: ssh
permanent: true permanent: true
state: disabled state: disabled
loop:
- drop
# - dmz
- public
- internal
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'dmz' - name: Allow incoming connections to SSH port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
@ -32,6 +61,14 @@
permanent: true permanent: true
state: enabled state: enabled
# When sapt-labx-ctl01 is deployed
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
# ansible.posix.firewalld:
# zone: public
# service: ssh
# permanent: true
# state: enabled
- name: Firewall rules for database servers - name: Firewall rules for database servers
when: hostname in groups['dbservers'] when: hostname in groups['dbservers']
notify: Reload firewalld notify: Reload firewalld
@ -47,26 +84,35 @@
when: hostname in groups['proxyservers'] when: hostname in groups['proxyservers']
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Allow incoming connections to HTTP port in zone 'dmz' - name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: "{{ item }}"
service: http service: http
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTPS port in zone 'dmz' - name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: "{{ item }}"
service: https service: https
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTP/3 port in zone 'dmz' - name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: "{{ item }}"
service: http3 service: http3
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers

8
roles/virt-common/tasks/main.yml
View file

@ -1,6 +1,14 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Set hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Set timezone
community.general.timezone:
name: "{{ timezone }}"
- name: Copy hosts file - name: Copy hosts file
ansible.builtin.template: ansible.builtin.template:
src: hosts.j2 src: hosts.j2