Newer
Older
---
- name: FIREWALL | install packages
ansible.builtin.apt:
cache_valid_time: 3600
force_apt_get: yes
pkg:
- fail2ban
- ufw
state: present
update_cache: true
- name: UFW | reset before setting
community.general.ufw:
state: reset
- name: UFW | deny everything IN
community.general.ufw:
direction: incoming
policy: deny
- name: UFW | allow everything OUT
community.general.ufw:
direction: outgoing
policy: allow
- name: UFW | allow local IPs on port 22 IN
when: inventory_hostname in groups.station
loop: "{{ groups['station'] }}"
community.general.ufw:
direction: in
port: '22'
proto: tcp
rule: allow
src: "{{hostvars[item]['ansible_host']}}"
- name: "UFW | allow {{gateway}} IP on port 22 IN"
when: (inventory_hostname in groups.production) or
(inventory_hostname in groups.devel)
community.general.ufw:
direction: in
port: '22'
proto: tcp
rule: allow
src: "{{gateway}}"
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
- name: UFW | limit tcp port 22 IN
community.general.ufw:
direction: in
log: yes
port: '22'
proto: tcp
rule: limit
- name: UFW | allow tcp port 80 IN
when: inventory_hostname in groups.web
community.general.ufw:
direction: in
rule: allow
port: '80'
proto: tcp
- name: UFW | enable & set logging
community.general.ufw:
logging: low
state: enabled
- name: FAIL2BAN | ensure deamon is running
ansible.builtin.service:
name: fail2ban
state: started
enabled: true
- name: FAIL2BAN | set local config
ansible.builtin.template:
src: templates/jail.local.j2
dest: /etc/fail2ban/jail.local
- name: FAIL2BAN | restart service
ansible.builtin.service:
name: fail2ban
state: restarted