From 45465ad26b71c1316de571538272aefc32488c8f Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 27 May 2022 16:29:27 -0400 Subject: [PATCH] Add the ufw firewall --- roles/base/tasks/firewall.yml | 23 +++++++++++++++++++++++ roles/base/tasks/main.yml | 3 +++ roles/postgresql/tasks/main.yml | 7 +++++++ roles/proxy/tasks/main.yml | 9 +++++++++ 4 files changed, 42 insertions(+) create mode 100644 roles/base/tasks/firewall.yml diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml new file mode 100644 index 0000000..5bbf166 --- /dev/null +++ b/roles/base/tasks/firewall.yml @@ -0,0 +1,23 @@ +- name: Install the Uncomplicated Firewall + apt: + name: ufw + state: present + +- name: Deny incoming traffic by default + ufw: + default: deny + direction: incoming + +- name: Allow outgoing traffic by default + ufw: + default: allow + direction: outgoing + +- name: Allow OpenSSH with rate limiting + ufw: + name: ssh + rule: limit + +- name: Enable firewall + ufw: + state: enabled diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index f1cc1f5..ab72fa0 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -4,6 +4,9 @@ - import_tasks: system.yml tags: system +- import_tasks: firewall.yml + tags: firewall + - import_tasks: network.yml tags: network when: manage_network diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index 4f6ed71..8d9404b 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -32,3 +32,10 @@ name: postgresql state: restarted when: postgresql_config.changed + +- name: Allow database connections from Docker + ufw: + rule: allow + port: "5432" + proto: tcp + src: "172.16.0.0/12" diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 171ed09..3022e1b 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -84,3 +84,12 @@ loop: "{{ proxy.dns_cloudflare.wildcard_domains }}" when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined notify: reload_nginx + +- name: Add HTTP and HTTPS firewall rule + ufw: + rule: allow + port: "{{ item }}" + proto: tcp + loop: + - "80" + - "443"