From 46bbe11161e10a280c5ad454c025165b7bf80b13 Mon Sep 17 00:00:00 2001 From: Ada Date: Wed, 17 Apr 2024 11:19:14 +0200 Subject: [PATCH] Add UFW firewall for debian based distro --- ansible/deploy.yml | 4 +++- ansible/packer.yml | 4 +++- ansible/roles/knot_resolver/tasks/main.yml | 9 +++++++++ ansible/roles/ufw/tasks/main.yml | 14 ++++++++++++++ 4 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/ufw/tasks/main.yml diff --git a/ansible/deploy.yml b/ansible/deploy.yml index 8e522c3..ec63e93 100644 --- a/ansible/deploy.yml +++ b/ansible/deploy.yml @@ -10,7 +10,9 @@ - journald - sshd - role: timesyncd - when: ansible_facts['os_family'] == "Ubuntu" + when: ansible_facts['os_family'] == "Debian" + - role: ufw + when: ansible_facts['os_family'] == "Debian" - name: Resolver hosts: resolver diff --git a/ansible/packer.yml b/ansible/packer.yml index 5df8ea6..9792ce7 100644 --- a/ansible/packer.yml +++ b/ansible/packer.yml @@ -10,7 +10,9 @@ - journald - sshd - role: timesyncd - when: ansible_facts['os_family'] == "Ubuntu" + when: ansible_facts['os_family'] == "Debian" + - role: ufw + when: ansible_facts['os_family'] == "Debian" post_tasks: - name: Clean cloud-init ansible.builtin.command: cloud-init clean diff --git a/ansible/roles/knot_resolver/tasks/main.yml b/ansible/roles/knot_resolver/tasks/main.yml index e798b06..62d2614 100644 --- a/ansible/roles/knot_resolver/tasks/main.yml +++ b/ansible/roles/knot_resolver/tasks/main.yml @@ -19,3 +19,12 @@ mode: "0644" notify: - Restart knot resolver + +- name: Allow port 53 (DNS) + community.general.ufw: + rule: allow + port: "{{ item.port }}" + proto: "{{ item.proto }}" + with_items: + - { port: "53", proto: "tcp" } + - { port: "53", proto: "udp" } diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml new file mode 100644 index 0000000..3a83a29 --- /dev/null +++ b/ansible/roles/ufw/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Install UFW + ansible.builtin.apt: + name: ufw + +- name: Allow 22/tcp (SSH) + community.general.ufw: + rule: allow + port: "22" + proto: tcp + +- name: Enable UFW + community.general.ufw: + state: enabled \ No newline at end of file