Add UFW firewall for debian based distro

ansible/deploy.yml

@@ -10,7 +10,9 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
 
 - name: Resolver
   hosts: resolver

ansible/packer.yml

@@ -10,7 +10,9 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
   post_tasks:
     - name: Clean cloud-init
       ansible.builtin.command: cloud-init clean

ansible/roles/authentik/handlers/main.yml

@@ -1,19 +0,0 @@
----
-- name: Package cache update
-  become: true
-  ansible.builtin.package:
-    update_cache: true
-
-- name: Restart knot resolver
-  become: true
-  ansible.builtin.service:
-    state: restarted
-    name: kresd@{{ item }}.service
-  with_sequence: count={{ ansible_processor_vcpus }}
-
-- name: Enable knot resolver
-  become: true
-  ansible.builtin.service:
-    enabled: true
-    name: kresd@{{ item }}.service
-  with_sequence: count={{ ansible_processor_vcpus }}

ansible/roles/authentik/tasks/main.yml

@@ -1,21 +0,0 @@
----
-- name: Install knot repository
-  ansible.builtin.apt:
-    deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
-  notify:
-    - Package cache update
-
-- name: Install knot resolver
-  ansible.builtin.apt:
-    name: knot-resolver
-  notify:
-    - Enable knot resolver
-    - Restart knot resolver
-
-- name: Configure
-  ansible.builtin.template:
-    src: kresd.conf.j2
-    dest: /etc/knot-resolver/kresd.conf
-    mode: "0644"
-  notify:
-    - Restart knot resolver

ansible/roles/authentik/templates/kresd.conf.j2

@@ -1,26 +0,0 @@
-net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
-cache.size = 128 * MB
-modules = {
-	'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
-	'predict',          -- Prefetch expiring/frequent records
-}
-
-modules.load('prefill')
-prefill.config({
-    ['.'] = {
-        url = 'https://www.internic.net/domain/root.zone',
-        interval = 86400, -- seconds
-    }
-})
-
-modules.load('view')
-view:addr('127.0.0.0/8', policy.all(policy.PASS))
-view:addr('::1/128', policy.all(policy.PASS))
-{% for prefix in kresd_allow %}
-view:addr('{{ prefix }}', policy.all(policy.PASS))
-{% endfor %}
-view:addr('0.0.0.0/0', policy.all(policy.DROP))
-view:addr('::/0', policy.all(policy.DROP))
-
-log_target('stdout')
-log_level('debug') 

ansible/roles/fail2ban/templates/sshd.conf.j2

@@ -2,7 +2,7 @@
 enabled = true
 bantime = -1
 maxretry = 3
-{% if ansible_facts['os_family'] == "RedHat" %}
 backend = systemd
+{% if ansible_facts['os_family'] == "RedHat" %}
 banaction = firewallcmd-ipset
 {% endif %}

ansible/roles/knot_resolver/tasks/main.yml

@@ -19,3 +19,12 @@
     mode: "0644"
   notify:
     - Restart knot resolver
+
+- name: Allow port 53 (DNS)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  with_items:
+    - { port: "53", proto: "tcp" }
+    - { port: "53", proto: "udp" }

ansible/roles/ufw/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+
+- name: Allow 22/tcp (SSH)
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled