homelab/roles/base/tasks/firewall.yml

49 lines
1.1 KiB
YAML
Raw Permalink Normal View History

2022-05-27 20:29:27 +00:00
- name: Install the Uncomplicated Firewall
2023-05-04 03:42:55 +00:00
ansible.builtin.apt:
2022-05-27 20:29:27 +00:00
name: ufw
state: present
2022-05-28 06:31:41 +00:00
- name: Install Fail2ban
2023-05-04 03:42:55 +00:00
ansible.builtin.apt:
2022-05-28 06:31:41 +00:00
name: fail2ban
state: present
2022-05-27 20:29:27 +00:00
- name: Deny incoming traffic by default
2023-05-04 03:42:55 +00:00
community.general.ufw:
2022-05-27 20:29:27 +00:00
default: deny
direction: incoming
- name: Allow outgoing traffic by default
2023-05-04 03:42:55 +00:00
community.general.ufw:
2022-05-27 20:29:27 +00:00
default: allow
direction: outgoing
- name: Allow OpenSSH with rate limiting
2023-05-04 03:42:55 +00:00
community.general.ufw:
2022-05-27 20:29:27 +00:00
name: ssh
rule: limit
- name: Remove Fail2ban defaults-debian.conf
2023-05-04 03:42:55 +00:00
ansible.builtin.file:
path: /etc/fail2ban/jail.d/defaults-debian.conf
state: absent
- name: Install OpenSSH's Fail2ban jail
2023-05-04 03:42:55 +00:00
ansible.builtin.template:
src: fail2ban-ssh.conf.j2
dest: /etc/fail2ban/jail.d/sshd.conf
2023-05-04 05:44:18 +00:00
mode: 0640
notify: restart_fail2ban
2022-06-29 03:43:58 +00:00
- name: Install Fail2ban IP allow list
2023-05-04 03:42:55 +00:00
ansible.builtin.template:
2022-06-29 03:43:58 +00:00
src: fail2ban-allowlist.conf.j2
dest: /etc/fail2ban/jail.d/allowlist.conf
2023-05-04 05:44:18 +00:00
mode: 0640
2022-06-29 03:43:58 +00:00
when: fail2ban_ignoreip is defined
notify: restart_fail2ban
2022-05-27 20:29:27 +00:00
- name: Enable firewall
2023-05-04 03:42:55 +00:00
community.general.ufw:
2022-05-27 20:29:27 +00:00
state: enabled