homelab/roles/base/tasks/firewall.yml

- name: Install the Uncomplicated Firewall
  ansible.builtin.apt:
    name: ufw
    state: present

- name: Install Fail2ban
  ansible.builtin.apt:
    name: fail2ban
    state: present

- name: Deny incoming traffic by default
  community.general.ufw:
    default: deny
    direction: incoming

- name: Allow outgoing traffic by default
  community.general.ufw:
    default: allow
    direction: outgoing

- name: Allow OpenSSH with rate limiting
  community.general.ufw:
    name: ssh
    rule: limit

- name: Remove Fail2ban defaults-debian.conf
  ansible.builtin.file:
    path: /etc/fail2ban/jail.d/defaults-debian.conf
    state: absent

- name: Install OpenSSH's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-ssh.conf.j2
    dest: /etc/fail2ban/jail.d/sshd.conf
    mode: "640"
  notify: restart_fail2ban

- name: Install Fail2ban IP allow list
  ansible.builtin.template:
    src: fail2ban-allowlist.conf.j2
    dest: /etc/fail2ban/jail.d/allowlist.conf
    mode: "640"
  when: fail2ban_ignoreip is defined
  notify: restart_fail2ban

- name: Enable firewall
  community.general.ufw:
    state: enabled
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`- name: Install the Uncomplicated Firewall`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`ansible.builtin.apt:`
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`name: ufw`
			`state: present`

Add Fail2ban to Gitea and Bitwarden 2022-05-28 02:31:41 -04:00			`- name: Install Fail2ban`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`ansible.builtin.apt:`
Add Fail2ban to Gitea and Bitwarden 2022-05-28 02:31:41 -04:00			`name: fail2ban`
			`state: present`

Add the ufw firewall 2022-05-27 16:29:27 -04:00			`- name: Deny incoming traffic by default`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`community.general.ufw:`
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`default: deny`
			`direction: incoming`

			`- name: Allow outgoing traffic by default`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`community.general.ufw:`
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`default: allow`
			`direction: outgoing`

			`- name: Allow OpenSSH with rate limiting`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`community.general.ufw:`
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`name: ssh`
			`rule: limit`

Install aggressive Fail2ban jail for SSH 2022-06-18 19:47:02 -04:00			`- name: Remove Fail2ban defaults-debian.conf`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`ansible.builtin.file:`
Install aggressive Fail2ban jail for SSH 2022-06-18 19:47:02 -04:00			`path: /etc/fail2ban/jail.d/defaults-debian.conf`
			`state: absent`

			`- name: Install OpenSSH's Fail2ban jail`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`ansible.builtin.template:`
Install aggressive Fail2ban jail for SSH 2022-06-18 19:47:02 -04:00			`src: fail2ban-ssh.conf.j2`
			`dest: /etc/fail2ban/jail.d/sshd.conf`
Update base role to pass linting 2023-10-20 21:30:25 -04:00			`mode: "640"`
Install aggressive Fail2ban jail for SSH 2022-06-18 19:47:02 -04:00			`notify: restart_fail2ban`

Install Fail2ban IP allow list 2022-06-28 23:43:58 -04:00			`- name: Install Fail2ban IP allow list`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`ansible.builtin.template:`
Install Fail2ban IP allow list 2022-06-28 23:43:58 -04:00			`src: fail2ban-allowlist.conf.j2`
			`dest: /etc/fail2ban/jail.d/allowlist.conf`
Update base role to pass linting 2023-10-20 21:30:25 -04:00			`mode: "640"`
Install Fail2ban IP allow list 2022-06-28 23:43:58 -04:00			`when: fail2ban_ignoreip is defined`
			`notify: restart_fail2ban`

Add the ufw firewall 2022-05-27 16:29:27 -04:00			`- name: Enable firewall`
Updated Ansible tasks to FQCN format 2023-05-03 23:42:55 -04:00			`community.general.ufw:`
Add the ufw firewall 2022-05-27 16:29:27 -04:00			`state: enabled`