Initial Push of scraped playbooks

2021-12-06 09:45:41 +01:00
parent 8ea7a36196
commit 7aa8e04057
14 changed files with 353 additions and 2 deletions
--- a/playbooks/firewalld/all.rules.firewalld.yaml
+++ b/playbooks/firewalld/all.rules.firewalld.yaml
@@ -0,0 +1,14 @@
+---
+- name: "Apply Custom Firewall Rules to every Ansible-Managed Machine"
+  hosts: all
+
+  tasks:
+# Create Firewall Rules
+    # SSH - ALL
+  - name: "Create Firewall Rule - SSH"
+    ansible.posix.firewalld:
+      zone: public
+      service: ssh
+      permanent: yes
+      state: enabled
+...
--- a/playbooks/firewalld/firewalld.yaml
+++ b/playbooks/firewalld/firewalld.yaml
@@ -0,0 +1,46 @@
+---
+- name: "Install & Configure Firewalld"
+  hosts: all
+
+  tasks:
+# Setup correct Firewall
+  - name: "Stop and disable ufw"
+    ansible.builtin.service:
+      name: "ufw"
+      state: stopped
+      enabled: no
+    become: True
+  - name: "Remove ufw"
+    ansible.builtin.package:
+      name: "ufw"
+      state: "absent"
+    become: True
+  - name: "Install & Update firewalld"
+    ansible.builtin.package:
+      name: "firewalld"
+      state: "latest"
+    become: True
+  - name: "Start and enable firewalld"
+    ansible.builtin.service:
+      name: "firewalld"
+      state: "started"
+      enabled: yes
+# Create Firewall Rules loaded from external Playbooks
+  - name: "Create Firewall Rules for any Node"
+    import_playbook: all.rules.firewalld.yaml
+# Create Firewall Rules for Groups loaded from external Playbooks
+  - name: "Create Firewall Rules for Servers"
+    import_playbook: servers.rules.firewalld.yaml
+  - name: "Create Firewall Rules for RPIS"
+    import_playbook: rpis.rules.firewalld.yaml
+# Create Firewall Rules for specific Hosts loaded from external Playbooks
+  - name: "Create Firewall Rules for srvdoc01"
+    import_playbook: srvdoc01.rul0es.firewalld.yaml
+# Reload Firewall to activate new Rules
+  - name: "Reload Firewall Rules"
+    ansible.builtin.command:
+      cmd: "firewall-cmd --reload"
+# Due to security Conditions Fail2ban gets installed too
+  - name: "Install Fail2ban with custom Ansible-Playbook"
+    import_playbook: ../prod/fail2ban.yaml
+...
--- a/playbooks/firewalld/rpis.rules.firewalld.yaml
+++ b/playbooks/firewalld/rpis.rules.firewalld.yaml
@@ -0,0 +1,14 @@
+---
+- name: "Apply Custom Firewall Rules to every Ansible-Managed Raspberry"
+  hosts: rpis
+
+  tasks:
+# Create Firewall Rules
+    # SSH - ALL
+  - name: "Create Firewall Rule - SSH"
+    ansible.posix.firewalld:
+      zone: public
+      service: ssh
+      permanent: yes
+      state: enabled
+...
--- a/playbooks/firewalld/servers.rules.firewalld.yaml
+++ b/playbooks/firewalld/servers.rules.firewalld.yaml
@@ -0,0 +1,14 @@
+---
+- name: "Apply Custom Firewall Rules to every Ansible-Managed Server"
+  hosts: servers
+
+  tasks:
+# Create Firewall Rules
+    # Cockpit - ALL Servers
+  - name: "Create Firewall Rule - SSH"
+    ansible.posix.firewalld:
+      zone: public
+      service: cockpit
+      permanent: yes
+      state: enabled
+...
--- a/playbooks/firewalld/srvdoc01.rules.firewalld.yaml
+++ b/playbooks/firewalld/srvdoc01.rules.firewalld.yaml
@@ -0,0 +1,84 @@
+---
+- name: "IApply Custom Firewall Rules to SRVDOC01 "
+  hosts: srvdoc01
+
+  tasks:
+  - name: "Create Firewall Rule [SRVDOC01]- HTTP"
+    ansible.posix.firewalld:
+      zone: public
+      service: http
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- HTTPS"
+    ansible.posix.firewalld:
+      zone: public
+      service: https
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- SMTP"
+    ansible.posix.firewalld:
+      zone: public
+      port: 25/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- POP3"
+    ansible.posix.firewalld:
+      zone: public
+      port: 110/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- IMAP"
+    ansible.posix.firewalld:
+      zone: public
+      port: 143/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- SMTPs"
+    ansible.posix.firewalld:
+      zone: public
+      port: 465/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- SMTP"
+    ansible.posix.firewalld:
+      zone: public
+      port: 587/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- IMAPs"
+    ansible.posix.firewalld:
+      zone: public
+      port: 993/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- POP3s"
+    ansible.posix.firewalld:
+      zone: public
+      port: 995/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- DNS"
+    ansible.posix.firewalld:
+      zone: public
+      port: 53/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- DNS"
+    ansible.posix.firewalld:
+      zone: public
+      port: 53/udp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- DNSs"
+    ansible.posix.firewalld:
+      zone: public
+      port: 853/tcp
+      permanent: yes
+      state: enabled
+  - name: "Create Firewall Rule [SRVDOC01]- DNSs"
+    ansible.posix.firewalld:
+      zone: public
+      port: 853/udp
+      permanent: yes
+      state: enabled
+...