dogeystamp/homeserver-ansible
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Only open enabled services in firewall

Browse Source
This commit is contained in:
dogeystamp 2022-03-01 17:56:41 -05:00
parent 3ba2c49a8c
commit a5e85742a0
Signed by: dogeystamp
GPG Key ID: 7225FE3592EFFA38
2 changed files with 19 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
roles/firewall/tasks/main.yml
View File

@ -7,27 +7,40 @@
community.general.ufw:
policy: deny
- name: Allow service ports
- name: Allow Matrix federation port
community.general.ufw:
rule: allow
port: 8448
proto: tcp
state: enabled
when: enable_synapse
- name: Allow http/https ports
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: tcp
state: enabled
when: enable_webserver
with_items:
- "{{ sshd_port }}"
- http
- https
# Matrix federation port
- 8448
- name: Allow ssh port
community.general.ufw:
rule: allow
port: "{{ sshd_port }}"
proto: tcp
state: enabled
- name: Allow DNS port to LAN
community.general.ufw:
rule: allow
port: 53
port: domain
proto: any
state: enabled
src: "{{ local_subnet }}"
when: enable_nameserver
- name: Enable firewall service
service:

38
tasks/user_config.yml
View File

@ -1,38 +0,0 @@
- name: Fetch dotfiles
git:
repo: "{{ dots_repo }}"
dest: "/srv/dots/"
register: dotfiles
- name: Create list of users to configure
set_fact:
users:
- "{{ ansible_user }}"
- "{{ username }}"
- name: Remove existing dotfiles
file:
path: "/home/{{ item }}/.bashrc"
state: absent
with_items: "{{ users }}"
when: dotfiles.changed
- name: Copy dotfiles
copy:
remote_src: yes
src: /srv/dots/
dest: "/home/{{ item }}/dots/"
owner: "{{ item }}"
group: "{{ item }}"
with_items: "{{ users }}"
when: dotfiles.changed
- name: Deploy dotfiles on login
template:
src: templates/.bash_profile.j2
dest: "/home/{{ item }}/.bash_profile"
owner: "{{ item }}"
group: "{{ item }}"
force: yes
with_items: "{{ users }}"
when: dotfiles.changed