95 lines
2.1 KiB
YAML
95 lines
2.1 KiB
YAML
- name: Install packages
|
|
community.general.pacman:
|
|
name:
|
|
- ufw
|
|
|
|
- name: Deny all ports by default
|
|
community.general.ufw:
|
|
policy: deny
|
|
|
|
- name: Set default sources (bastion server)
|
|
set_fact:
|
|
default_firewall_src: any
|
|
when: '"bastion" in group_names'
|
|
|
|
- name: Set default sources (fleet server)
|
|
set_fact:
|
|
default_firewall_src: "{{ bastion_vpn_ip if wireguard_services else bastion_ip }}"
|
|
when: '"fleet" in group_names'
|
|
|
|
- name: Configure service interface
|
|
set_fact:
|
|
service_firewall_if: "{{ wireguard_interface if wireguard_services else omit }}"
|
|
when: 'wireguard_services'
|
|
|
|
- name: Allow service ports
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto | default('tcp') }}"
|
|
# service -> VPN interface if available, else default
|
|
interface_in: "{{ service_firewall_if if (item.interface | default('')) == 'service' else item.interface | default(omit) }}"
|
|
src: "{{ item.src | default(default_firewall_src) }}"
|
|
when: item.name in group_names
|
|
with_items:
|
|
# matrix ports
|
|
- name: "bastion"
|
|
port: 8448
|
|
- name: "synapse"
|
|
port: 8008
|
|
interface: service
|
|
|
|
# navidrome api/web interface
|
|
- name: "navidrome"
|
|
port: 4533
|
|
interface: service
|
|
|
|
- name: "paperless"
|
|
port: 8000
|
|
interface: service
|
|
|
|
- name: "syncthing"
|
|
port: 22000
|
|
proto: any
|
|
src: "{{ local_subnet }}"
|
|
|
|
- name: "sshd"
|
|
port: "{{ sshd_port }}"
|
|
src: "{{ 'any' if 'bastion' in group_names else local_subnet }}"
|
|
|
|
# gitea sshd
|
|
- name: "bastion"
|
|
port: 2499
|
|
- name: "gitea"
|
|
port: 2498
|
|
interface: service
|
|
# gitea http
|
|
- name: "gitea"
|
|
port: 3000
|
|
interface: service
|
|
|
|
- name: "caddy"
|
|
port: 80
|
|
- name: "caddy"
|
|
port: 443
|
|
|
|
- name: "nameserver"
|
|
port: domain
|
|
proto: any
|
|
src: "{{ local_subnet }}"
|
|
|
|
- name: "wireguard"
|
|
port: "{{ wireguard.ip.port | default('51820') }}"
|
|
proto: udp
|
|
src: any
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Enable firewall service
|
|
service:
|
|
name: ufw
|
|
state: started
|
|
enabled: yes
|