Add homeserver to infra
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -0,0 +1,67 @@
|
||||
---
|
||||
- name: update packages
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
become: yes
|
||||
|
||||
- name: install ufw
|
||||
apt:
|
||||
name: ufw
|
||||
state: present
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow SSH in UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ ansible_ssh_port }}"
|
||||
proto: tcp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow wireguard port in UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ wireguard_port }}"
|
||||
proto: udp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Set ufw logging
|
||||
ufw:
|
||||
logging: "on"
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: inter-node Wireguard UFW connectivity
|
||||
ufw:
|
||||
rule: allow
|
||||
src: "{{ hostvars[item].wireguard_ip }}"
|
||||
with_items: "{{ groups['all'] }}"
|
||||
become: yes
|
||||
when: ufw_enabled and item != inventory_hostname
|
||||
|
||||
- name: Reject everything and enable UFW
|
||||
ufw:
|
||||
state: enabled
|
||||
policy: reject
|
||||
log: yes
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow 6443 in UFW /tcp
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
||||
proto: tcp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow 6443 in UFW udp
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
||||
proto: udp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
Reference in New Issue
Block a user