commit 3867afbc3935cac1a1c6c81c1ab59e05620191f5 Author: phil Date: Sat Feb 25 19:51:48 2023 +0100 Initial commit diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..af69557 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,9 @@ +galaxy_info: + author: Sense.Lab e.V. admins + description: Role to setup firewall rules + license: GPLv3 + min_ansible_version: "2.9" + platforms: + - name: Debian + versions: + - bullseye diff --git a/tasks/firewall.yml b/tasks/firewall.yml new file mode 100644 index 0000000..f5c0a4d --- /dev/null +++ b/tasks/firewall.yml @@ -0,0 +1,43 @@ +--- +- name: Install ufw firewall + ansible.builtin.apt: + name: ufw + +- name: Flush old ufw rules + ansible.builtin.command: "ufw --force reset" + +- name: Set specific ufw rules + ansible.builtin.command: "ufw {{ item }}" + loop: "{{ firewall_rules | default([]) }}" + +- name: Allow forwarding + ansible.builtin.replace: + path: /etc/ufw/sysctl.conf + regexp: '#net\/ipv4\/ip_forward=1' + replace: net/ipv4/ip_forward=1 + when: firewall_ipv4_forwarding is defined and firewall_ipv4_forwarding + +- name: Insert forwarding skeleton + ansible.builtin.blockinfile: + path: /etc/ufw/before.rules + marker: "# {mark} ANSIBLE MANAGED BLOCK " + insertbefore: BOF + block: | + *nat + :PREROUTING ACCEPT [0:0] + # forwarding rules + COMMIT + when: firewall_ipv4_forwarding is defined and firewall_ipv4_forwarding + +- name: Insert forwarding rules + ansible.builtin.lineinfile: + path: "/etc/ufw/before.rules" + line: "{{ item }}" + state: present + insertafter: "# forwarding rules" + loop: "{{ firewall_forwarding_rules | default([]) }}" + when: firewall_ipv4_forwarding is defined and firewall_ipv4_forwarding + +- name: Enable ufw + community.general.ufw: + state: enabled diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..0976245 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Firewall task + ansible.builtin.import_tasks: firewall.yml + tags: firewall + when: firewall is defined and firewall