dogeystamp/homeserver-iac
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
48a370db43
homeserver-iac/roles/firewall/tasks/main.yml
dogeystamp 864c1bdfd3
haproxy, firewall, containers: force connections through bastion vpn 
docker is now listening on localhost, with a haproxy on the services
server to forward the ports outwards. this is because docker tends to
disregard UFW's rules, but haproxy should be better in that regard.

meanwhile, the firewall rules have been configured properly to only
allow the bastion IP in over the wireguard connection, for proper
authentication.
2024-06-19 23:02:08 -04:00

91 lines
2.1 KiB
YAML
Raw Blame History

- name: Install packages
community.general.pacman:
name:
- ufw
- name: Deny all ports by default
community.general.ufw:
policy: deny
- name: Set default sources (bastion server)
set_fact:
default_firewall_src: any
when: '"bastion" in group_names'
- name: Set default sources (fleet server)
set_fact:
default_firewall_src: "{{ bastion_vpn_ip if wireguard_services else bastion_ip }}"
when: '"fleet" in group_names'
- name: Configure service interface
set_fact:
service_firewall_if: "{{ wireguard_interface if wireguard_services else omit }}"
when: 'wireguard_services'
- name: Allow service ports
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
# service -> VPN interface if available, else default
interface_in: "{{ service_firewall_if if (item.interface | default('')) == 'service' else item.interface | default(omit) }}"
src: "{{ item.src | default(default_firewall_src) }}"
when: item.name in group_names
with_items:
# matrix ports
- name: "bastion"
port: 8448
- name: "synapse"
port: 8008
interface: service
# navidrome api/web interface
- name: "navidrome"
port: 4533
interface: service
- name: "syncthing"
port: 22000
proto: any
src: "{{ local_subnet }}"
- name: "sshd"
port: "{{ sshd_port }}"
src: "{{ 'any' if 'bastion' in group_names else local_subnet }}"
# gitea sshd
- name: "bastion"
port: 2499
- name: "gitea"
port: 2498
interface: service
# gitea http
- name: "gitea"
port: 3000
interface: service
- name: "caddy"
port: 80
- name: "caddy"
port: 443
- name: "nameserver"
port: domain
proto: any
src: "{{ local_subnet }}"
- name: "wireguard"
port: "{{ wireguard.ip.port | default('51820') }}"
proto: udp
src: any
- name: Enable UFW
community.general.ufw:
state: enabled
- name: Enable firewall service
service:
name: ufw
state: started
enabled: yes
Reference in New Issue View Git Blame Copy Permalink