Update the setup tasks

Signed-off-by: Noah Knegt <git@noahknegt.com>
2024-04-12 15:12:30 +02:00
parent f12f17658b
commit 2cdea1f6c3
12 changed files with 116 additions and 81 deletions
--- a/roles/setup/tasks/software/acl.yml
+++ b/roles/setup/tasks/software/acl.yml
@@ -1,15 +0,0 @@
-# ===================================================================================================
-#  ?                                           ABOUT
-#  @author         :  Noah Knegt
-#  @email          :  personal@noahknegt.com
-#  @repo           :  https://git.noahknegt.com/noah.knegt/ansible-automations
-#  @createdOn      :  01-06-2023
-#  @description    :
-# ===================================================================================================
-
---
- name: Install acl
-  package:
-    name:
-      - acl
-    state: latest
--- a/roles/setup/tasks/software/repositories.yml
+++ b/roles/setup/tasks/software/repositories.yml
@@ -9,9 +9,9 @@

 ---
 - name: Install aptitude and software-properties-common
-  package:
+  ansible.builtin.package:
    name:
      - aptitude
      - software-properties-common
-    state: latest
+    state: present
  when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
--- a/roles/setup/tasks/software/ufw.yml
+++ b/roles/setup/tasks/software/ufw.yml
@@ -0,0 +1,47 @@
+# ===================================================================================================
+#  ?                                           ABOUT
+#  @author         :  Noah Knegt
+#  @email          :  personal@noahknegt.com
+#  @repo           :  https://git.noahknegt.com/noah.knegt/ansible-automations
+#  @createdOn      :  01-06-2023
+#  @description    :
+# ===================================================================================================
+
+---
+- name: Install UFW
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+- name: UFW deny all incoming traffic
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: UFW allow all outbound traffic
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow all access from RFC1918 networks to this host
+  community.general.ufw:
+    direction: incoming
+    rule: allow
+    src: "{{ item }}"
+  loop:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+
+- name: UFW allow default ssh port
+  community.general.ufw:
+    direction: incoming
+    rule: limit
+    port: ssh
+
+- name: UFW allow custom ssh port
+  when: setup_openssh_port is defined
+  community.general.ufw:
+    direction: incoming
+    rule: allow
+    port: "{{ setup_openssh_port }}"