ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 05ccb68344affd26d35b7165ba4b4d6bbd1919d3
parent df82f419dc8dfebc6a470c48117098d2db27c8c6
Author: Leah (ctucx) <leah@ctu.cx>
Date: Thu, 28 Jan 2021 23:28:38 +0100

remove awall rules
11 files changed, 0 insertions(+), 263 deletions(-)
D
roles/acme-redirect/files/awall-rule.json
|
13
-------------
D
roles/bind/files/awall-rule.json
|
13
-------------
D
roles/common/files/awall/custom-services.json
|
7
-------
D
roles/common/files/awall/ssh.json
|
14
--------------
D
roles/common/tasks/firewall-awall.yml
|
86
-------------------------------------------------------------------------------
D
roles/common/templates/awall-baseconfig.yaml.j2
|
28
----------------------------
D
roles/frp/templates/awall-rule.json.j2
|
14
--------------
D
roles/maddy/files/awall-rule.json
|
37
-------------------------------------
D
roles/nginx/files/awall-rule.json
|
19
-------------------
D
roles/nginx/files/awall-rule_httpsOnly.json
|
13
-------------
D
roles/syncthing/files/awall-rule.json
|
19
-------------------
diff --git a/roles/acme-redirect/files/awall-rule.json b/roles/acme-redirect/files/awall-rule.json
@@ -1,13 +0,0 @@
-{
-  "description": "Allow HTTP on WAN (for acme-redirect)",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "http",
-      "action": "accept"
-    }
-  ]
-}
diff --git a/roles/bind/files/awall-rule.json b/roles/bind/files/awall-rule.json
@@ -1,13 +0,0 @@
-{
-  "description": "Allow DNS on WAN (for bind)",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "dns",
-      "action": "accept"
-    }
-  ]
-}
diff --git a/roles/common/files/awall/custom-services.json b/roles/common/files/awall/custom-services.json
@@ -1,7 +0,0 @@
-{
-	"service": {
-		"frps": [
-			{ "proto": "tcp", "port": 5050 }
-		]
-	}
-}
diff --git a/roles/common/files/awall/ssh.json b/roles/common/files/awall/ssh.json
@@ -1,14 +0,0 @@
-{
-  "description": "Allow rate-limited SSH on WAN",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "ssh",
-      "action": "accept",
-      "conn-limit": { "count": 3, "interval": 20 }
-    }
-  ]
-}
diff --git a/roles/common/tasks/firewall-awall.yml b/roles/common/tasks/firewall-awall.yml
@@ -1,86 +0,0 @@
----
-- name: "[Alpine] Install Package: awall"
-  apk:
-    name: awall lua-lyaml ip6tables
-    state: present
-    update_cache: yes
-  when: network.awall.enable is true
-
-- name: "Load kernel module: iptables"
-  raw: "modprobe ip_tables"
-  when: network.awall.enable is true
-
-- name: "[awall] Create custom-services file"
-  copy:
-    src: awall/custom-services.json
-    dest: /etc/awall/private/custom-services.json
-    validate: jq '.' %s
-  when: network.awall.enable is true
-
-- name: "[awall] Create base-config"
-  template:
-    src: awall-baseconfig.yaml.j2
-    dest: /etc/awall/private/base.yaml
-#    validate: jq '.' %s
-  when: network.awall.enable is true
-
-- name: "[awall] Copy rule for: ssh"
-  copy:
-    src: awall/ssh.json
-    dest: /etc/awall/optional/ssh.json
-    validate: jq '.' %s
-  when:
-    - network.awall.enable is true
-    - system.enableSSH is defined
-    - system.enableSSH is true 
-
-- name: "[awall] Activate rule for: ssh"
-  awall:
-    name: ssh
-    state: enabled
-    activate: yes
-  when: 
-    - network.awall.enable is true
-    - system.enableSSH is defined
-    - system.enableSSH is true
-
-- name: "[OpenRC] Enable and start service: iptables"
-  service:
-    name: iptables
-    enabled: yes
-    state: started
-  when: network.awall.enable is true
-
-- name: "[OpenRC] Enable and start service: ip6tables"
-  service:
-    name: ip6tables
-    enabled: yes
-    state: started
-  when: network.awall.enable is true
-
-
-- name: "[OpenRC] Disable and stop service: iptables"
-  service:
-    name: iptables
-    enabled: no
-    state: stopped
-  when: network.awall.enable is false
-
-- name: "[OpenRC] Disable and stop service: ip6tables"
-  service:
-    name: ip6tables
-    enabled: no
-    state: stopped
-  when: network.awall.enable is false
-
-- name: "[Alpine] Remove Package: awall"
-  apk:
-    name: awall lua-lyaml ip6tables
-    state: absent
-  when: network.awall.enable is false
-
-- name: "Delete directory: /etc/awall"
-  file:
-    path: /etc/awall
-    mode: absent
-  when: network.awall.enable is false
diff --git a/roles/common/templates/awall-baseconfig.yaml.j2 b/roles/common/templates/awall-baseconfig.yaml.j2
@@ -1,27 +0,0 @@
-#
-# !!! This file is managed by Ansible !!!
-#
-
-description: Base zones and policies for {{system.hostname}}
-import:
-  - custom-services
-
-{% if network.awall.config.zones is defined %}
-zone:
-  {{ network.awall.config.zones | to_yaml | trim | indent(2) }}
-{% endif %}
-
-{% if network.awall.config.policies is defined %}
-policy:
-  {{ network.awall.config.policies | to_yaml| trim | indent(2) }}
-{% endif %}
-
-{% if network.awall.config.filters is defined %}
-filter:
-  {{ network.awall.config.filters | to_yaml | trim | indent(2) }}
-{% endif %}
-
-{% if network.awall.config.snat is defined %}
-snat:
-  - out: {{ network.awall.config.snat }}
-{% endif %}-
\ No newline at end of file
diff --git a/roles/frp/templates/awall-rule.json.j2 b/roles/frp/templates/awall-rule.json.j2
@@ -1,13 +0,0 @@
-{
-  "description": "Allow FRPS on WAN",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": { "proto": "tcp", "port": {{ services.frps.port }} },
-      "action": "accept"
-    }
-  ]
-}-
\ No newline at end of file
diff --git a/roles/maddy/files/awall-rule.json b/roles/maddy/files/awall-rule.json
@@ -1,37 +0,0 @@
-{
-  "description": "Allow mail specific ports on WAN (for maddy)",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "smtp",
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": { "proto": "tcp", "port": 465 },
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "submission",
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "imap",
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "imaps",
-      "action": "accept"
-    }
-  ]
-}
diff --git a/roles/nginx/files/awall-rule.json b/roles/nginx/files/awall-rule.json
@@ -1,19 +0,0 @@
-{
-  "description": "Allow HTTP(S) on WAN (for nginx)",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "http",
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "https",
-      "action": "accept"
-    }
-  ]
-}
diff --git a/roles/nginx/files/awall-rule_httpsOnly.json b/roles/nginx/files/awall-rule_httpsOnly.json
@@ -1,13 +0,0 @@
-{
-  "description": "Allow HTTPS on WAN (for nginx)",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "https",
-      "action": "accept"
-    }
-  ]
-}
diff --git a/roles/syncthing/files/awall-rule.json b/roles/syncthing/files/awall-rule.json
@@ -1,19 +0,0 @@
-{
-  "description": "Allow syncthing specific ports on WAN",
-  "import": [ "base" ],
-
-  "filter": [
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": {"proto": "tcp", "port": 22000},
-      "action": "accept"
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": {"proto": "udp", "port": 21027},
-      "action": "accept"
-    }
-  ]
-}