# vim: ft=yaml.ansible # code: language=ansible --- - name: General firewall rules notify: Reload firewalld block: - name: Move main LAN and VPN networks to zone 'drop' ansible.posix.firewalld: zone: drop source: "{{ item }}" permanent: true state: enabled loop: - 192.168.1.0/24 - 192.168.8.0/24 - name: Move lab network to zone 'dmz' ansible.posix.firewalld: zone: dmz source: 192.168.17.0/24 permanent: true state: enabled - name: Move internal network to zone 'internal' ansible.posix.firewalld: zone: internal source: 10.2.0.0/16 permanent: true state: enabled - name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal' ansible.posix.firewalld: zone: "{{ item }}" service: ssh permanent: true state: disabled loop: - dmz - internal # Until sapt-labx-ctl01 is deployed - name: Allow incoming connections to SSH port in zone 'drop' ansible.posix.firewalld: zone: drop service: ssh permanent: true state: enabled # When sapt-labx-ctl01 is deployed # - name: Allow incoming connections from jump host to SSH port in zone 'dmz' # ansible.posix.firewalld: # zone: dmz # source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" # service: ssh # permanent: true # state: enabled - name: Firewall rules for production and staging loop: - prod - stage loop_control: loop_var: env notify: Reload firewalld block: - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" service: postgresql permanent: true state: enabled loop: "{{ groups['app_' + env] }}" when: hostname in groups['db_' + env] - name: Flush handlers ansible.builtin.meta: flush_handlers