@installdoc/ansible-gas-station
Version:
An Ansible playbook that provisions your network with software from GitHub Awesome lists, developed with disaster recovery in mind ⛽🔥🤤
171 lines (151 loc) • 3.83 kB
YAML
---
- name: Install UFW
package:
name: ufw
state: present
- name: Reset UFW
ufw:
state: reset
when: ufw_reset
- name: Copy over UFW application policies
copy:
src: files/ufw/
dest: /etc/ufw/applications.d
owner: root
mode: 0644
- name: Set default incoming policy to deny
ufw:
default: deny
direction: incoming
- name: Enable UFW logging
ufw:
logging: "on"
ignore_errors: true
- name: Allow (but limit) SSH connections from select networks
ufw:
rule: limit
port: "{{ ssh_port }}"
proto: tcp
src: "{{ item }}"
comment: Allow and limit SSH connections
loop:
- "{{ lan_network.management }}"
- "{{ lan_network.work }}"
- "{{ main_ip_address }}"
when: (vlan | default('cloud')) != 'cloud'
- name: Allow (but limit) SSH connections from anywhere
ufw:
rule: limit
port: "{{ ssh_port }}"
proto: tcp
comment: Allow SSH connections originating from the Internet
when: (vlan | default('cloud')) == 'cloud'
- name: Allow apt-cacher-ng access
ufw:
rule: allow
name: "AptCacherNG"
src: "{{ item }}"
comment: Allow access to apt-cacher-ng
loop:
- "{{ lan_network.iot }}"
- "{{ lan_network.kubernetes }}"
- "{{ lan_network.management }}"
- "{{ lan_network.offline }}"
- "{{ lan_network.unifi }}"
- "{{ lan_network.work }}"
when: ('apt' in apps)
- name: Allow RDP access
ufw:
rule: allow
name: "RDP"
src: "{{ item }}"
comment: Allow RDP
loop:
- "{{ lan_network.work }}"
when: "'desktop' in group_names"
- name: Allow remote Docker access
ufw:
rule: allow
port: "2424"
proto: tcp
src: "{{ hosts.portainer.ip_address }}"
comment: Allow access to Docker from Portainer
when: not ("'portainer' in apps")
- name: Allow TFTP access to Netboot.xyz
ufw:
rule: allow
name: "NetbootXYZ"
src: "{{ item }}"
comment: Allow TFTP access for booting iPXE files
loop:
- "{{ lan_network.iot }}"
- "{{ lan_network.kubernetes }}"
- "{{ lan_network.management }}"
- "{{ lan_network.offline }}"
- "{{ lan_network.unifi }}"
- "{{ lan_network.work }}"
when: ('netboot' in apps)
- name: Allow access to Plex Media Server from LAN
ufw:
rule: allow
name: "PlexMediaServer Full"
src: "{{ item }}"
comment: Allow full access to Plex Media Server from LAN
loop:
- "{{ lan_network.iot }}"
- "{{ lan_network.work }}"
when: ('plex' in apps)
- name: Allow access to Plex Media Server from Internet
ufw:
rule: allow
port: "32400"
proto: tcp
comment: Allow access to Plex Media Server from Internet
when: ('plex' in apps)
- name: Allow printer sharing
ufw:
rule: allow
name: "CUPS"
src: "{{ item }}"
comment: Allow printer sharing
loop:
- "{{ lan_network.iot }}"
- "{{ lan_network.work }}"
when: ('cups' in apps)
- name: Allow MAAS communication
ufw:
rule: allow
name: "MAAS"
src: "{{ item }}"
comment: Allow MAAS communication
loop:
- "{{ lan_network.kubernetes }}"
when: ('maas' in apps)
- name: Allow UniFi access
ufw:
rule: allow
name: "UniFi"
comment: Allow UniFi communication
src: "{{ item }}"
loop:
- "{{ lan_network.unifi }}"
when: ('unifilab' in apps)
- name: Allow HTTP/HTTPS access from LAN
ufw:
rule: allow
name: "Nginx Full"
comment: Allow access to NGINX from LAN
src: "{{ item }}"
loop: "{{ rc1918_networks }}"
when:
- not ('nuc' in apps)
- (vlan | default('cloud')) != 'cloud'
- name: Allow HTTP/HTTPS access from internet
ufw:
rule: allow
name: "Nginx Full"
comment: Allow access to NGINX from internet
when: ('nuc' in apps) or ((vlan | default('cloud')) == 'cloud')
- name: Enable UFW
ufw:
state: enabled