Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
59807399
Commit
59807399
authored
Mar 06, 2018
by
Phillip Smith (fukawi2)
Browse files
initial commit of firewalld role and tasks
parent
e28df1c7
Changes
13
Hide whitespace changes
Inline
Side-by-side
playbooks/all-hosts-basic.yml
View file @
59807399
...
...
@@ -13,3 +13,4 @@
# here. this also probably doesn't work nicely for old hosts yet
-
{
role
:
borg-client
,
tags
:
[
"
borg"
],
when
:
"
'borg-clients'
in
group_names"
}
-
{
role
:
zabbix-agent
,
tags
:
[
"
zabbix"
,
"
zabbix-agent"
],
when
:
"
'unmanaged'
not
in
group_names"
}
-
{
role
:
firewalld
,
tags
:
[
'
firewalld'
]
}
playbooks/apollo.yml
View file @
59807399
...
...
@@ -47,3 +47,6 @@
-
{
role
:
zabbix-server
,
tags
:
[
"
zabbix"
,
"
zabbix-server"
]
}
-
{
role
:
grafana
,
tags
:
[
"
grafana"
]
}
-
{
role
:
archwiki
,
tags
:
[
"
archwiki"
]
}
tasks
:
-
name
:
open firewall hole for hefurd
firewalld
:
port=6969/tcp permanent=true state=enabled
roles/dbscripts/tasks/main.yml
View file @
59807399
...
...
@@ -228,6 +228,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes for rsync
firewalld
:
service=rsyncd permanent=true state=enabled
-
name
:
configure svnserve
copy
:
dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
...
...
@@ -237,6 +240,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes for svnserve
firewalld
:
port=3690/tcp permanent=true state=enabled
-
name
:
install systemd timers
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
...
...
roles/dovecot/tasks/main.yml
View file @
59807399
...
...
@@ -20,3 +20,10 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
pop3
-
pop3s
-
imap
-
imaps
roles/firewalld/tasks/main.yml
0 → 100644
View file @
59807399
---
-
name
:
install firewalld
pacman
:
name=firewalld state=present
-
name
:
start and enable firewalld
service
:
name=firewalld enabled=yes state=started
roles/mariadb/tasks/main.yml
View file @
59807399
...
...
@@ -47,3 +47,9 @@
-
name
:
install zabbix mysql config
template
:
src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600
# the source addresses here could be tightened up more, but it's far better
# than having mariadb open to the world
-
name
:
open firewall holes to other infrastructure hosts
firewalld
:
service=mysql permanent=true state=enabled source={{item}}
with_items
:
"
{{
groups['all']
}}"
roles/nginx/tasks/main.yml
View file @
59807399
...
...
@@ -68,3 +68,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
http
-
https
roles/postfix/tasks/main.yml
View file @
59807399
...
...
@@ -70,3 +70,10 @@
with_items
:
-
compat_maps
-
compat_maps.db
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
smtp
-
smtp-submission
when
:
postfix_smtpd_public
roles/postgres/tasks/main.yml
View file @
59807399
...
...
@@ -52,3 +52,7 @@
copy
:
src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400
when
:
postgres_ssl == 'on'
-
name
:
open firewall holes to known postgresql clients
firewalld
:
service=postgresql permanent=true state=enabled source={{item}}
with_items
:
"
{{
postgres_ssl_hosts
}}"
roles/quassel/tasks/main.yml
View file @
59807399
...
...
@@ -68,3 +68,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
port=4242/tcp permanent=true state=enabled
roles/sshd/tasks/main.yml
View file @
59807399
...
...
@@ -19,3 +19,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service=ssh permanent=true state=enabled
roles/syncrepo/tasks/main.yml
View file @
59807399
...
...
@@ -53,3 +53,6 @@
-
reload nginx
when
:
'
mirror_domain
is
defined'
tags
:
[
'
nginx'
]
-
name
:
open firewall holes
firewalld
:
service=rsyncd permanent=true state=enabled
roles/zabbix-agent/tasks/main.yml
View file @
59807399
...
...
@@ -60,3 +60,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service=zabbix-agent permanent=true state=enabled
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment