UNPKG

@installdoc/ansible-gas-station

Version:

An Ansible playbook that provisions your network with software from GitHub Awesome lists, developed with disaster recovery in mind ⛽🔥🤤

171 lines (151 loc) 3.83 kB
--- - name: Install UFW package: name: ufw state: present - name: Reset UFW ufw: state: reset when: ufw_reset - name: Copy over UFW application policies copy: src: files/ufw/ dest: /etc/ufw/applications.d owner: root mode: 0644 - name: Set default incoming policy to deny ufw: default: deny direction: incoming - name: Enable UFW logging ufw: logging: "on" ignore_errors: true - name: Allow (but limit) SSH connections from select networks ufw: rule: limit port: "{{ ssh_port }}" proto: tcp src: "{{ item }}" comment: Allow and limit SSH connections loop: - "{{ lan_network.management }}" - "{{ lan_network.work }}" - "{{ main_ip_address }}" when: (vlan | default('cloud')) != 'cloud' - name: Allow (but limit) SSH connections from anywhere ufw: rule: limit port: "{{ ssh_port }}" proto: tcp comment: Allow SSH connections originating from the Internet when: (vlan | default('cloud')) == 'cloud' - name: Allow apt-cacher-ng access ufw: rule: allow name: "AptCacherNG" src: "{{ item }}" comment: Allow access to apt-cacher-ng loop: - "{{ lan_network.iot }}" - "{{ lan_network.kubernetes }}" - "{{ lan_network.management }}" - "{{ lan_network.offline }}" - "{{ lan_network.unifi }}" - "{{ lan_network.work }}" when: ('apt' in apps) - name: Allow RDP access ufw: rule: allow name: "RDP" src: "{{ item }}" comment: Allow RDP loop: - "{{ lan_network.work }}" when: "'desktop' in group_names" - name: Allow remote Docker access ufw: rule: allow port: "2424" proto: tcp src: "{{ hosts.portainer.ip_address }}" comment: Allow access to Docker from Portainer when: not ("'portainer' in apps") - name: Allow TFTP access to Netboot.xyz ufw: rule: allow name: "NetbootXYZ" src: "{{ item }}" comment: Allow TFTP access for booting iPXE files loop: - "{{ lan_network.iot }}" - "{{ lan_network.kubernetes }}" - "{{ lan_network.management }}" - "{{ lan_network.offline }}" - "{{ lan_network.unifi }}" - "{{ lan_network.work }}" when: ('netboot' in apps) - name: Allow access to Plex Media Server from LAN ufw: rule: allow name: "PlexMediaServer Full" src: "{{ item }}" comment: Allow full access to Plex Media Server from LAN loop: - "{{ lan_network.iot }}" - "{{ lan_network.work }}" when: ('plex' in apps) - name: Allow access to Plex Media Server from Internet ufw: rule: allow port: "32400" proto: tcp comment: Allow access to Plex Media Server from Internet when: ('plex' in apps) - name: Allow printer sharing ufw: rule: allow name: "CUPS" src: "{{ item }}" comment: Allow printer sharing loop: - "{{ lan_network.iot }}" - "{{ lan_network.work }}" when: ('cups' in apps) - name: Allow MAAS communication ufw: rule: allow name: "MAAS" src: "{{ item }}" comment: Allow MAAS communication loop: - "{{ lan_network.kubernetes }}" when: ('maas' in apps) - name: Allow UniFi access ufw: rule: allow name: "UniFi" comment: Allow UniFi communication src: "{{ item }}" loop: - "{{ lan_network.unifi }}" when: ('unifilab' in apps) - name: Allow HTTP/HTTPS access from LAN ufw: rule: allow name: "Nginx Full" comment: Allow access to NGINX from LAN src: "{{ item }}" loop: "{{ rc1918_networks }}" when: - not ('nuc' in apps) - (vlan | default('cloud')) != 'cloud' - name: Allow HTTP/HTTPS access from internet ufw: rule: allow name: "Nginx Full" comment: Allow access to NGINX from internet when: ('nuc' in apps) or ((vlan | default('cloud')) == 'cloud') - name: Enable UFW ufw: state: enabled