firewall.yml 1.42 KiB
---
- hosts: "{{ host_list }}"
remote_user: root
tasks:
- name: FIREWALL | install packages
ansible.builtin.apt:
cache_valid_time: 3600
force_apt_get: yes
pkg:
- fail2ban
- ufw
state: present
update_cache: true
- name: UFW | reset before setting
community.general.ufw:
state: reset
- name: UFW | deny everything IN
community.general.ufw:
direction: incoming
policy: deny
- name: UFW | allow everything OUT
community.general.ufw:
direction: outgoing
policy: allow
- name: UFW | limit tcp port 22 IN
community.general.ufw:
direction: in
log: yes
port: '22'
proto: tcp
rule: limit
- name: UFW | allow tcp port 80 IN
when: inventory_hostname in groups.web
community.general.ufw:
direction: in
rule: allow
port: '80'
proto: tcp
- name: UFW | enable & set logging
community.general.ufw:
logging: full
state: enabled
- name: FAIL2BAN | ensure deamon is running
service:
name: fail2ban
state: started
enabled: true
- name: FAIL2BAN | set local config
template:
src: templates/jail.local.j2
dest: /etc/fail2ban/jail.local
- name: FAIL2BAN | restart service
service:
name: fail2ban
state: restarted