Pour tout problème contactez-nous par mail : support@froggit.fr | La FAQ :grey_question: | Rejoignez-nous sur le Chat :speech_balloon:

Skip to content
Snippets Groups Projects
firewall.yml 1.42 KiB
Newer Older
  • Learn to ignore specific revisions
  • fred's avatar
    fred committed
    ---
    - hosts: "{{ host_list }}"
      remote_user: root
    
      tasks:
        - name: FIREWALL | install packages
          ansible.builtin.apt:
            cache_valid_time: 3600
            force_apt_get: yes
            pkg:
                - fail2ban
                - ufw
            state: present
            update_cache: true
    
        - name: UFW | reset before setting
          community.general.ufw:
            state: reset
    
        - name: UFW | deny everything IN
          community.general.ufw:
            direction: incoming
            policy: deny
    
        - name: UFW | allow everything OUT
          community.general.ufw:
            direction: outgoing
            policy: allow
    
        - name: UFW | limit tcp port 22 IN
          community.general.ufw:
            direction: in
            log: yes
            port: '22'
            proto: tcp
            rule: limit
    
        - name: UFW | allow tcp port 80 IN
          when: inventory_hostname in groups.web
          community.general.ufw:
            direction: in
            rule: allow
            port: '80'
            proto: tcp
    
        - name: UFW | enable & set logging
          community.general.ufw:
            logging: full
            state: enabled
    
        - name: FAIL2BAN | ensure deamon is running
          service:
            name: fail2ban
            state: started
            enabled: true
    
        - name: FAIL2BAN | set local config
          template:
            src: templates/jail.local.j2
            dest: /etc/fail2ban/jail.local
    
        - name: FAIL2BAN | restart service
          service:
            name: fail2ban
            state: restarted