lab-ansible/roles/common/tasks/firewall.yml

83 lines
2 KiB
YAML

# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Move DMZ network to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: 192.168.17.0/24
permanent: true
immediate: true
state: enabled
- name: Move interface 'eth1' to zone 'internal'
ansible.posix.firewalld:
zone: internal
interface: eth1
permanent: true
immediate: true
state: enabled
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections from main LAN to SSH port
ansible.posix.firewalld:
zone: dmz
source: 192.168.1.0/24
service: ssh
permanent: true
immediate: true
state: enabled
when: true
# When sapt-labx-ctl01 is deployed
- name: Allow incoming connections from jump host to SSH port
ansible.posix.firewalld:
zone: dmz
source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
service: ssh
permanent: true
immediate: true
state: enabled
when: false
- name: Firewall rules for group 'control_infra'
when: hostname in groups['control_infra']
block:
- name: Allow incoming connections from main LAN to SSH port
ansible.posix.firewalld:
zone: dmz
source: 192.168.1.0/24
service: ssh
permanent: true
immediate: true
state: enabled
- name: Allow incoming connections from LAN to DNS port
ansible.posix.firewalld:
zone: dmz
source: 192.168.0.0/16
port: 53/{{ item }}
permanent: true
immediate: true
state: enabled
loop:
- tcp
- udp
- name: Firewall rules for production and staging
loop:
- prod
- stage
loop_control:
loop_var: env
block:
- name: Allow incoming connections from app servers to PostgreSQL
ansible.posix.firewalld:
zone: internal
source: "{{ hostvars[item].internal_ipv4 }}"
port: 5432/tcp
permanent: true
immediate: true
state: enabled
loop: "{{ groups['app_' + env] }}"
when: hostname in groups['db_' + env]