91 lines
2.0 KiB
YAML
91 lines
2.0 KiB
YAML
- name: Nginx
|
|
hosts: pi
|
|
become: true
|
|
tasks:
|
|
- name: Install ufw
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Logging
|
|
community.general.ufw:
|
|
logging: "low"
|
|
|
|
- name: Allow SSH
|
|
community.general.ufw:
|
|
rule: allow
|
|
name: OpenSSH
|
|
route: true
|
|
|
|
- name: UFW - Allow HTTP connections
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "80"
|
|
proto: tcp
|
|
route: true
|
|
|
|
- name: UFW - Allow HTTPS connections
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "443"
|
|
proto: tcp
|
|
route: true
|
|
|
|
- name: UFW - Allow gitbee ssh
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "2222"
|
|
proto: tcp
|
|
route: true
|
|
|
|
- name: UFW - Allow podman forwarding
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: podman+
|
|
interface_out: podman+
|
|
route: true
|
|
|
|
- name: UFW - Allow podman forwarding 2
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: eth0
|
|
interface_out: podman+
|
|
route: true
|
|
|
|
- name: UFW - Allow podman forwarding 3
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: podman+
|
|
interface_out: eth0
|
|
route: true
|
|
|
|
- name: UFW - Enable DNS
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: podman+
|
|
proto: "udp"
|
|
to_port: 53
|
|
|
|
- name: UFW - Allow node exporter scraping
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: podman+
|
|
proto: "tcp"
|
|
to_port: 9100
|
|
|
|
- name: UFW - Allow podman exporter scraping
|
|
community.general.ufw:
|
|
rule: allow
|
|
interface_in: podman+
|
|
proto: "tcp"
|
|
to_port: 9882
|
|
|
|
- name: UFW - Enable and deny by default
|
|
community.general.ufw:
|
|
state: enabled
|
|
default: deny
|
|
|
|
- name: UFW - Reload firewall
|
|
changed_when: true
|
|
ansible.builtin.command: ufw reload
|