Add UFW firewall for debian based distro

2024-04-17 11:19:14 +02:00 · 2024-04-17 11:19:14 +02:00 · f5c29bad3f
commit f5c29bad3f
parent b7c5c87319
4 changed files with 29 additions and 2 deletions
--- a/ansible/deploy.yml
+++ b/ansible/deploy.yml
@ -10,7 +10,9 @@
    - journald
    - sshd
    - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"

 - name: Resolver
  hosts: resolver
--- a/ansible/packer.yml
+++ b/ansible/packer.yml
@ -10,7 +10,9 @@
    - journald
    - sshd
    - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
  post_tasks:
    - name: Clean cloud-init
      ansible.builtin.command: cloud-init clean
--- a/ansible/roles/knot_resolver/tasks/main.yml
+++ b/ansible/roles/knot_resolver/tasks/main.yml
@ -19,3 +19,12 @@
    mode: "0644"
  notify:
    - Restart knot resolver
+
+- name: Allow port 53 (DNS)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  with_items:
+    - { port: "53", proto: "tcp" }
+    - { port: "53", proto: "udp" }
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@ -0,0 +1,14 @@
+---
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+
+- name: Allow 22/tcp (SSH)
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled