Only open enabled services in firewall

2022-03-01 17:56:41 -05:00 · 2022-03-01 17:56:41 -05:00 · a5e85742a0
commit a5e85742a0
parent 3ba2c49a8c
2 changed files with 19 additions and 44 deletions
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -7,27 +7,40 @@
  community.general.ufw:
    policy: deny
- name: Allow service ports
+- name: Allow Matrix federation port
  community.general.ufw:
    rule: allow
    port: 8448
    proto: tcp
    state: enabled
  when: enable_synapse
 - name: Allow http/https ports
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
    state: enabled
-
+  when: enable_webserver
  with_items:
    - "{{ sshd_port }}"
    - http
    - https
-    # Matrix federation port
+
-    - 8448
+- name: Allow ssh port
  community.general.ufw:
    rule: allow
    port: "{{ sshd_port }}"
    proto: tcp
    state: enabled
 - name: Allow DNS port to LAN
  community.general.ufw:
    rule: allow
-    port: 53
+    port: domain
    proto: any
    state: enabled
    src: "{{ local_subnet }}"
  when: enable_nameserver
 - name: Enable firewall service
  service:
--- a/tasks/user_config.yml
+++ b/tasks/user_config.yml
@ -1,38 +0,0 @@
 - name: Fetch dotfiles
  git:
    repo: "{{ dots_repo }}"
    dest: "/srv/dots/"
  register: dotfiles
 - name: Create list of users to configure
  set_fact:
    users:
      - "{{ ansible_user }}"
      - "{{ username }}"
 - name: Remove existing dotfiles
  file:
    path: "/home/{{ item }}/.bashrc"
    state: absent
  with_items: "{{ users }}"
  when: dotfiles.changed
 - name: Copy dotfiles
  copy:
    remote_src: yes
    src: /srv/dots/
    dest: "/home/{{ item }}/dots/"
    owner: "{{ item }}"
    group: "{{ item }}"
  with_items: "{{ users }}"
  when: dotfiles.changed
 - name: Deploy dotfiles on login
  template:
    src: templates/.bash_profile.j2
    dest: "/home/{{ item }}/.bash_profile"
    owner: "{{ item }}"
    group: "{{ item }}"
    force: yes
  with_items: "{{ users }}"
  when: dotfiles.changed