Commit b1744e69 authored by Phillip Smith's avatar Phillip Smith
Browse files

Merge branch 'wip/add-firewalld'

parents cd0b3273 ef9f4b83
...@@ -13,3 +13,4 @@ ...@@ -13,3 +13,4 @@
# here. this also probably doesn't work nicely for old hosts yet # here. this also probably doesn't work nicely for old hosts yet
- { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" } - { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
- { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" } - { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" }
- { role: firewalld, tags: ['firewall'] }
...@@ -47,3 +47,6 @@ ...@@ -47,3 +47,6 @@
- { role: zabbix-server, tags: ["zabbix", "zabbix-server"] } - { role: zabbix-server, tags: ["zabbix", "zabbix-server"] }
- { role: grafana, tags: ["grafana"] } - { role: grafana, tags: ["grafana"] }
- { role: archwiki, tags: ["archwiki"] } - { role: archwiki, tags: ["archwiki"] }
tasks:
- name: open firewall hole for hefurd
firewalld: port=6969/tcp permanent=true state=enabled
...@@ -228,6 +228,9 @@ ...@@ -228,6 +228,9 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes for rsync
firewalld: service=rsyncd permanent=true state=enabled
- name: configure svnserve - name: configure svnserve
copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n" copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
...@@ -237,6 +240,9 @@ ...@@ -237,6 +240,9 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes for svnserve
firewalld: port=3690/tcp permanent=true state=enabled
- name: install systemd timers - name: install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items: with_items:
......
...@@ -20,3 +20,10 @@ ...@@ -20,3 +20,10 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- pop3
- pop3s
- imap
- imaps
---
- name: install firewalld
pacman: name=firewalld state=present
- name: start and enable firewalld
service: name=firewalld enabled=yes state=started
...@@ -47,3 +47,9 @@ ...@@ -47,3 +47,9 @@
- name: install zabbix mysql config - name: install zabbix mysql config
template: src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600 template: src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600
# the source addresses here could be tightened up more, but it's far better
# than having mariadb open to the world
- name: open firewall holes to other infrastructure hosts
firewalld: service=mysql permanent=true state=enabled source={{item}}
with_items: "{{ groups['all'] }}"
...@@ -68,3 +68,9 @@ ...@@ -68,3 +68,9 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- http
- https
...@@ -70,3 +70,10 @@ ...@@ -70,3 +70,10 @@
with_items: with_items:
- compat_maps - compat_maps
- compat_maps.db - compat_maps.db
- name: open firewall holes
firewalld: service={{item}} permanent=true state=enabled
with_items:
- smtp
- smtp-submission
when: postfix_smtpd_public
...@@ -52,3 +52,7 @@ ...@@ -52,3 +52,7 @@
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }} copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400 remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on' when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql clients
firewalld: service=postgresql permanent=true state=enabled source={{item}}
with_items: "{{ postgres_ssl_hosts }}"
...@@ -68,3 +68,6 @@ ...@@ -68,3 +68,6 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: port=4242/tcp permanent=true state=enabled
...@@ -19,3 +19,6 @@ ...@@ -19,3 +19,6 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service=ssh permanent=true state=enabled
...@@ -53,3 +53,6 @@ ...@@ -53,3 +53,6 @@
- reload nginx - reload nginx
when: 'mirror_domain is defined' when: 'mirror_domain is defined'
tags: ['nginx'] tags: ['nginx']
- name: open firewall holes
firewalld: service=rsyncd permanent=true state=enabled
...@@ -60,3 +60,6 @@ ...@@ -60,3 +60,6 @@
- name: enable systemd ressource accounting - name: enable systemd ressource accounting
command: systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes command: systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes
- name: open firewall holes
firewalld: service=zabbix-agent permanent=true state=enabled
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment