samsapti/lab-ansible
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: samsapti:e75a5364df3739f6446dc84942f201aff022ebfd
Branches Tags
samsapti:main
...
compare: samsapti:2d9eb03b66ab829f49c47ad567f1ce8dbb006816
Branches Tags
samsapti:main

2 commits
e75a5364df ... 2d9eb03b66

Author SHA1 Message Date
Sam A. 2d9eb03b66
Simplify FW rules, handling in router FW 2023-12-25 20:36:14 +01:00
Sam A. 7b3decdf07
Remove hostname and timezone, cloud-init does that 2023-12-25 20:35:49 +01:00
2 changed files with 9 additions and 63 deletions
Show stats Expand all files Collapse all files

64
roles/virt-common/tasks/firewall.yml
View file

@ -4,35 +4,13 @@
- name: General firewall rules - name: General firewall rules
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Move Guest LAN and and IoT LAN networks to zone 'drop' - name: Move LAN networks to zone 'dmz'
ansible.posix.firewalld:
zone: drop
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.2.0/24
- 192.168.4.0/24
- name: Move Home LAN and VPN networks to zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
source: "{{ item }}" source: 192.168.0.0/16
permanent: true permanent: true
state: enabled state: enabled
loop: loop:
- 192.168.1.0/24
- 192.168.8.0/24
- name: Move Secure LAN and Lab LAN networks to zone 'public'
ansible.posix.firewalld:
zone: public
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.17.0/24
- 192.168.23.0/24
- name: Move internal network to zone 'internal' - name: Move internal network to zone 'internal'
ansible.posix.firewalld: ansible.posix.firewalld:
@ -41,19 +19,12 @@
permanent: true permanent: true
state: enabled state: enabled
- name: Default deny incoming connections to SSH port in all zones - name: Deny incoming connections to SSH port in default zone
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}"
service: ssh service: ssh
permanent: true permanent: true
state: disabled state: disabled
loop:
- drop
# - dmz
- public
- internal
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'dmz' - name: Allow incoming connections to SSH port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
@ -61,14 +32,6 @@
permanent: true permanent: true
state: enabled state: enabled
# When sapt-labx-ctl01 is deployed
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
# ansible.posix.firewalld:
# zone: public
# service: ssh
# permanent: true
# state: enabled
- name: Firewall rules for database servers - name: Firewall rules for database servers
when: hostname in groups['dbservers'] when: hostname in groups['dbservers']
notify: Reload firewalld notify: Reload firewalld
@ -84,35 +47,26 @@
when: hostname in groups['proxyservers'] when: hostname in groups['proxyservers']
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz' - name: Allow incoming connections to HTTP port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}" zone: dmz
service: http service: http
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz' - name: Allow incoming connections to HTTPS port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}" zone: dmz
service: https service: https
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz' - name: Allow incoming connections to HTTP/3 port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}" zone: dmz
service: http3 service: http3
permanent: true permanent: true
state: enabled state: enabled
loop:
- drop
- dmz
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers

8
roles/virt-common/tasks/main.yml
View file

@ -1,14 +1,6 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Set hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
- name: Set timezone
community.general.timezone:
name: "{{ timezone }}"
- name: Copy hosts file - name: Copy hosts file
ansible.builtin.template: ansible.builtin.template:
src: hosts.j2 src: hosts.j2