Merge branch 'wip/add-firewalld'

b1744e69 · Phillip Smith · cd0b3273 · ef9f4b83 · b1744e69 · b1744e69
Commit b1744e69 authored Mar 08, 2018 by Phillip Smith
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -13,3 +13,4 @@
    # here. this also probably doesn't work nicely for old hosts yet
    - { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
    - { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" }
+    - { role: firewalld, tags: ['firewall'] }
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -47,3 +47,6 @@
    - { role: zabbix-server, tags: ["zabbix", "zabbix-server"] }
    - { role: grafana, tags: ["grafana"] }
    - { role: archwiki, tags: ["archwiki"] }
+  tasks:
+    - name: open firewall hole for hefurd
+      firewalld: port=6969/tcp permanent=true state=enabled
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -228,6 +228,9 @@
 - name: enable systemd ressource accounting
  command: systemctl set-property system-rsyncd.slice CPUAccounting=yes MemoryAccounting=yes

+- name: open firewall holes for rsync
+  firewalld: service=rsyncd permanent=true state=enabled
+
 - name: configure svnserve
  copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"

@@ -237,6 +240,9 @@
 - name: enable systemd ressource accounting
  command: systemctl set-property svnserve CPUAccounting=yes MemoryAccounting=yes

+- name: open firewall holes for svnserve
+  firewalld: port=3690/tcp permanent=true state=enabled
+
 - name: install systemd timers
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:

--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -20,3 +20,10 @@
 - name: enable systemd ressource accounting
  command: systemctl set-property dovecot CPUAccounting=yes MemoryAccounting=yes

+- name: open firewall holes
+  firewalld: service={{item}} permanent=true state=enabled
+  with_items:
+    - pop3
+    - pop3s
+    - imap
+    - imaps
--- a/roles/firewalld/tasks/main.yml
+++ b/roles/firewalld/tasks/main.yml
+---
+
+- name: install firewalld
+  pacman: name=firewalld state=present
+
+- name: start and enable firewalld
+  service: name=firewalld enabled=yes state=started
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -47,3 +47,9 @@

 - name: install zabbix mysql config
  template: src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600
+
+  # the source addresses here could be tightened up more, but it's far better
+  # than having mariadb open to the world
+- name: open firewall holes to other infrastructure hosts
+  firewalld: service=mysql permanent=true state=enabled source={{item}}
+  with_items: "{{ groups['all'] }}"
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -68,3 +68,9 @@

 - name: enable systemd ressource accounting
  command: systemctl set-property nginx CPUAccounting=yes MemoryAccounting=yes
+
+- name: open firewall holes
+  firewalld: service={{item}} permanent=true state=enabled
+  with_items:
+    - http
+    - https
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -70,3 +70,10 @@
  with_items:
    - compat_maps
    - compat_maps.db
+
+- name: open firewall holes
+  firewalld: service={{item}} permanent=true state=enabled
+  with_items:
+    - smtp
+    - smtp-submission
+  when: postfix_smtpd_public
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -52,3 +52,7 @@
  copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
        remote_src=true owner=postgres group=postgres mode=0400
  when: postgres_ssl == 'on'
+
+- name: open firewall holes to known postgresql clients
+  firewalld: service=postgresql permanent=true state=enabled source={{item}}
+  with_items: "{{ postgres_ssl_hosts }}"
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
@@ -68,3 +68,6 @@

 - name: enable systemd ressource accounting
  command: systemctl set-property quassel CPUAccounting=yes MemoryAccounting=yes
+
+- name: open firewall holes
+  firewalld: port=4242/tcp permanent=true state=enabled
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -19,3 +19,6 @@

 - name: enable systemd ressource accounting
  command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
+
+- name: open firewall holes
+  firewalld: service=ssh permanent=true state=enabled
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -53,3 +53,6 @@
    - reload nginx
  when: 'mirror_domain is defined'
  tags: ['nginx']
+
+- name: open firewall holes
+  firewalld: service=rsyncd permanent=true state=enabled
--- a/roles/zabbix-agent/tasks/main.yml
+++ b/roles/zabbix-agent/tasks/main.yml
@@ -60,3 +60,6 @@

 - name: enable systemd ressource accounting
  command: systemctl set-property zabbix-agent CPUAccounting=yes MemoryAccounting=yes
+
+- name: open firewall holes
+  firewalld: service=zabbix-agent permanent=true state=enabled