43 lines
997 B
YAML
43 lines
997 B
YAML
- name: Install EPEL repository
|
|
ansible.builtin.dnf:
|
|
name: epel-release
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Install useful software
|
|
ansible.builtin.dnf:
|
|
name: "{{ common_packages }}"
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Install firewalld
|
|
ansible.builtin.dnf:
|
|
name: firewalld
|
|
state: present
|
|
|
|
- name: Start and enable firewalld service
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Set default zone to drop (deny incoming by default)
|
|
ansible.posix.firewalld:
|
|
zone: drop
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
|
|
- name: Allow SSH in drop zone with rate limiting via rich rule
|
|
ansible.posix.firewalld:
|
|
zone: drop
|
|
rich_rule: 'rule service name="ssh" accept limit value="10/m"'
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
|
|
- name: Set drop as the default zone
|
|
ansible.builtin.command:
|
|
cmd: firewall-cmd --set-default-zone=drop
|
|
changed_when: false
|