Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Dennis Hoppe
infrastructure
Commits
b1744e69
Commit
b1744e69
authored
Mar 08, 2018
by
Phillip Smith
Browse files
Merge branch 'wip/add-firewalld'
parents
cd0b3273
ef9f4b83
Changes
13
Hide whitespace changes
Inline
Side-by-side
playbooks/all-hosts-basic.yml
View file @
b1744e69
...
...
@@ -13,3 +13,4 @@
# here. this also probably doesn't work nicely for old hosts yet
-
{
role
:
borg-client
,
tags
:
[
"
borg"
],
when
:
"
'borg-clients'
in
group_names"
}
-
{
role
:
zabbix-agent
,
tags
:
[
"
zabbix"
,
"
zabbix-agent"
],
when
:
"
'unmanaged'
not
in
group_names"
}
-
{
role
:
firewalld
,
tags
:
[
'
firewall'
]
}
playbooks/apollo.yml
View file @
b1744e69
...
...
@@ -47,3 +47,6 @@
-
{
role
:
zabbix-server
,
tags
:
[
"
zabbix"
,
"
zabbix-server"
]
}
-
{
role
:
grafana
,
tags
:
[
"
grafana"
]
}
-
{
role
:
archwiki
,
tags
:
[
"
archwiki"
]
}
tasks
:
-
name
:
open firewall hole for hefurd
firewalld
:
port=6969/tcp permanent=true state=enabled
roles/dbscripts/tasks/main.yml
View file @
b1744e69
...
...
@@ -228,6 +228,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes for rsync
firewalld
:
service=rsyncd permanent=true state=enabled
-
name
:
configure svnserve
copy
:
dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
...
...
@@ -237,6 +240,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes for svnserve
firewalld
:
port=3690/tcp permanent=true state=enabled
-
name
:
install systemd timers
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
...
...
roles/dovecot/tasks/main.yml
View file @
b1744e69
...
...
@@ -20,3 +20,10 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
pop3
-
pop3s
-
imap
-
imaps
roles/firewalld/tasks/main.yml
0 → 100644
View file @
b1744e69
---
-
name
:
install firewalld
pacman
:
name=firewalld state=present
-
name
:
start and enable firewalld
service
:
name=firewalld enabled=yes state=started
roles/mariadb/tasks/main.yml
View file @
b1744e69
...
...
@@ -47,3 +47,9 @@
-
name
:
install zabbix mysql config
template
:
src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600
# the source addresses here could be tightened up more, but it's far better
# than having mariadb open to the world
-
name
:
open firewall holes to other infrastructure hosts
firewalld
:
service=mysql permanent=true state=enabled source={{item}}
with_items
:
"
{{
groups['all']
}}"
roles/nginx/tasks/main.yml
View file @
b1744e69
...
...
@@ -68,3 +68,9 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
http
-
https
roles/postfix/tasks/main.yml
View file @
b1744e69
...
...
@@ -70,3 +70,10 @@
with_items
:
-
compat_maps
-
compat_maps.db
-
name
:
open firewall holes
firewalld
:
service={{item}} permanent=true state=enabled
with_items
:
-
smtp
-
smtp-submission
when
:
postfix_smtpd_public
roles/postgres/tasks/main.yml
View file @
b1744e69
...
...
@@ -52,3 +52,7 @@
copy
:
src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400
when
:
postgres_ssl == 'on'
-
name
:
open firewall holes to known postgresql clients
firewalld
:
service=postgresql permanent=true state=enabled source={{item}}
with_items
:
"
{{
postgres_ssl_hosts
}}"
roles/quassel/tasks/main.yml
View file @
b1744e69
...
...
@@ -68,3 +68,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
port=4242/tcp permanent=true state=enabled
roles/sshd/tasks/main.yml
View file @
b1744e69
...
...
@@ -19,3 +19,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service=ssh permanent=true state=enabled
roles/syncrepo/tasks/main.yml
View file @
b1744e69
...
...
@@ -53,3 +53,6 @@
-
reload nginx
when
:
'
mirror_domain
is
defined'
tags
:
[
'
nginx'
]
-
name
:
open firewall holes
firewalld
:
service=rsyncd permanent=true state=enabled
roles/zabbix-agent/tasks/main.yml
View file @
b1744e69
...
...
@@ -60,3 +60,6 @@
-
name
:
enable systemd ressource accounting
command
:
systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes
-
name
:
open firewall holes
firewalld
:
service=zabbix-agent permanent=true state=enabled
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment