Commit b1744e69 authored by Phillip Smith's avatar Phillip Smith
Browse files

Merge branch 'wip/add-firewalld'

parents cd0b3273 ef9f4b83
......@@ -13,3 +13,4 @@
# here. this also probably doesn't work nicely for old hosts yet
- { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
- { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" }
- { role: firewalld, tags: ['firewall'] }
......@@ -47,3 +47,6 @@
- { role: zabbix-server, tags: ["zabbix", "zabbix-server"] }
- { role: grafana, tags: ["grafana"] }
- { role: archwiki, tags: ["archwiki"] }
tasks:
- name: open firewall hole for hefurd
firewalld: port=6969/tcp permanent=true state=enabled
......@@ -228,6 +228,9 @@
- name: enable systemd ressource accounting
command: systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes for rsync
firewalld: service=rsyncd permanent=true state=enabled
- name: configure svnserve
copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
......@@ -237,6 +240,9 @@
- name: enable systemd ressource accounting
command: systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes for svnserve
firewalld: port=3690/tcp permanent=true state=enabled
- name: install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
......
......@@ -20,3 +20,10 @@
- name: enable systemd ressource accounting
command: systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- pop3
- pop3s
- imap
- imaps
---
- name: install firewalld
pacman: name=firewalld state=present
- name: start and enable firewalld
service: name=firewalld enabled=yes state=started
......@@ -47,3 +47,9 @@
- name: install zabbix mysql config
template: src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600
# the source addresses here could be tightened up more, but it's far better
# than having mariadb open to the world
- name: open firewall holes to other infrastructure hosts
firewalld: service=mysql permanent=true state=enabled source={{item}}
with_items: "{{ groups['all'] }}"
......@@ -68,3 +68,9 @@
- name: enable systemd ressource accounting
command: systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- http
- https
......@@ -70,3 +70,10 @@
with_items:
- compat_maps
- compat_maps.db
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- smtp
- smtp-submission
when: postfix_smtpd_public
......@@ -52,3 +52,7 @@
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql clients
firewalld: service=postgresql permanent=true state=enabled source={{item}}
with_items: "{{ postgres_ssl_hosts }}"
......@@ -68,3 +68,6 @@
- name: enable systemd ressource accounting
command: systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: port=4242/tcp permanent=true state=enabled
......@@ -19,3 +19,6 @@
- name: enable systemd ressource accounting
command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service=ssh permanent=true state=enabled
......@@ -53,3 +53,6 @@
- reload nginx
when: 'mirror_domain is defined'
tags: ['nginx']
- name: open firewall holes
firewalld: service=rsyncd permanent=true state=enabled
......@@ -60,3 +60,6 @@
- name: enable systemd ressource accounting
command: systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service=zabbix-agent permanent=true state=enabled
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment