From d6e060d3afebcfd866dac38faba7b63396cf73a4 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 27 Jan 2025 22:30:50 +0300 Subject: [PATCH] roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block. --- roles/common/tasks/firewall.yml | 12 +- roles/common/tasks/firewall_Debian.yml | 198 ++++++++++++------------- roles/common/tasks/firewall_Ubuntu.yml | 196 ++++++++++++------------ 3 files changed, 205 insertions(+), 201 deletions(-) diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index 372acb3..7c46073 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -1,12 +1,20 @@ --- - name: Configure firewall (Debian) - ansible.builtin.include_tasks: firewall_Debian.yml when: ansible_distribution == 'Debian' + ansible.builtin.include_tasks: + file: firewall_Debian.yml + apply: + tags: + - firewall tags: firewall - name: Configure firewall (Ubuntu) - ansible.builtin.include_tasks: firewall_Ubuntu.yml when: ansible_distribution == 'Ubuntu' + ansible.builtin.include_tasks: + file: firewall_Ubuntu.yml + apply: + tags: + - firewall tags: firewall diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 594497c..585eb86 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -1,115 +1,113 @@ --- # Debian 11+ will use nftables directly, with no firewalld. -- block: - - name: Install Debian firewall packages - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.package: - name: - - libnet-ip-perl # for aggregate-cidr-addresses.pl - - nftables - - curl # for nftables update scripts - state: present - cache_valid_time: 3600 +- name: Install Debian firewall packages + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.package: + name: + - libnet-ip-perl # for aggregate-cidr-addresses.pl + - nftables + - curl # for nftables update scripts + state: present + cache_valid_time: 3600 - - name: Remove iptables on newer Debian - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.apt: - pkg: iptables - state: absent +- name: Remove iptables on newer Debian + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.apt: + pkg: iptables + state: absent - - name: Copy nftables.conf - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: "0644" - notify: - - restart nftables - - restart fail2ban +- name: Copy nftables.conf + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/nftables.conf + owner: root + mode: "0644" + notify: + - restart nftables + - restart fail2ban - - name: Create /etc/nftables extra config directory - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: "0755" +- name: Create /etc/nftables extra config directory + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.file: + path: /etc/nftables + state: directory + owner: root + mode: "0755" - - name: Copy extra nftables configuration files - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: /etc/nftables/{{ item.src }} - owner: root - group: root - mode: "0644" - force: "{{ item.force }}" - loop: - - { src: spamhaus-ipv4.nft, force: "no" } - - { src: spamhaus-ipv6.nft, force: "no" } - - { src: abusech-ipv4.nft, force: "no" } - - { src: abuseipdb-ipv4.nft, force: "yes" } - - { src: abuseipdb-ipv6.nft, force: "yes" } - notify: - - restart nftables - - restart fail2ban +- name: Copy extra nftables configuration files + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/nftables/{{ item.src }} + owner: root + group: root + mode: "0644" + force: "{{ item.force }}" + loop: + - { src: spamhaus-ipv4.nft, force: "no" } + - { src: spamhaus-ipv6.nft, force: "no" } + - { src: abusech-ipv4.nft, force: "no" } + - { src: abuseipdb-ipv4.nft, force: "yes" } + - { src: abuseipdb-ipv6.nft, force: "yes" } + notify: + - restart nftables + - restart fail2ban - - name: Copy nftables update scripts - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /usr/local/bin/{{ item }} - mode: "0755" - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh +- name: Copy nftables update scripts + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /usr/local/bin/{{ item }} + mode: "0755" + owner: root + group: root + loop: + - update-spamhaus-nftables.sh + - aggregate-cidr-addresses.pl + - update-abusech-nftables.sh - - name: Copy nftables systemd units - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /etc/systemd/system/{{ item }} - mode: "0644" - owner: root - group: root - loop: - - update-spamhaus-nftables.service - - update-spamhaus-nftables.timer - - update-abusech-nftables.service - - update-abusech-nftables.timer - register: nftables_systemd_units +- name: Copy nftables systemd units + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/systemd/system/{{ item }} + mode: "0644" + owner: root + group: root + loop: + - update-spamhaus-nftables.service + - update-spamhaus-nftables.timer + - update-abusech-nftables.service + - update-abusech-nftables.timer + register: nftables_systemd_units - # need to reload to pick up service/timer/environment changes - - name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed +# need to reload to pick up service/timer/environment changes +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + when: nftables_systemd_units is changed - - name: Start and enable nftables update timers - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer +- name: Start and enable nftables update timers + when: ansible_distribution_version is version('11', '>=') + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + loop: + - update-spamhaus-nftables.timer + - update-abusech-nftables.timer - - name: Start and enable nftables - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true +- name: Start and enable nftables + when: ansible_distribution_major_version is version('11', '>=') + ansible.builtin.systemd: + name: nftables + state: started + enabled: true - - ansible.builtin.include_tasks: fail2ban.yml - when: - - ansible_distribution_major_version is version('9', '>=') - tags: firewall +- ansible.builtin.include_tasks: fail2ban.yml + when: + - ansible_distribution_major_version is version('9', '>=') # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 4895e65..4afc3c8 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -1,114 +1,112 @@ --- # Ubuntu 20.04 will use nftables directly, with no firewalld. -- block: - - name: Install Ubuntu firewall packages - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.package: - name: - - libnet-ip-perl # for aggregate-cidr-addresses.pl - - nftables - - curl # for nftables update scripts - state: present - cache_valid_time: 3600 +- name: Install Ubuntu firewall packages + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.package: + name: + - libnet-ip-perl # for aggregate-cidr-addresses.pl + - nftables + - curl # for nftables update scripts + state: present + cache_valid_time: 3600 - - name: Remove ufw - ansible.builtin.package: - name: ufw - state: absent +- name: Remove ufw + ansible.builtin.package: + name: ufw + state: absent - - name: Copy nftables.conf - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: "0644" - notify: - - restart nftables - - restart fail2ban +- name: Copy nftables.conf + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/nftables.conf + owner: root + mode: "0644" + notify: + - restart nftables + - restart fail2ban - - name: Create /etc/nftables extra config directory - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: "0755" +- name: Create /etc/nftables extra config directory + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.file: + path: /etc/nftables + state: directory + owner: root + mode: "0755" - - name: Copy extra nftables configuration files - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: /etc/nftables/{{ item.src }} - owner: root - group: root - mode: "0644" - force: "{{ item.force }}" - loop: - - { src: spamhaus-ipv4.nft, force: "no" } - - { src: spamhaus-ipv6.nft, force: "no" } - - { src: abusech-ipv4.nft, force: "no" } - - { src: abuseipdb-ipv4.nft, force: "yes" } - - { src: abuseipdb-ipv6.nft, force: "yes" } - notify: - - restart nftables - - restart fail2ban +- name: Copy extra nftables configuration files + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/nftables/{{ item.src }} + owner: root + group: root + mode: "0644" + force: "{{ item.force }}" + loop: + - { src: spamhaus-ipv4.nft, force: "no" } + - { src: spamhaus-ipv6.nft, force: "no" } + - { src: abusech-ipv4.nft, force: "no" } + - { src: abuseipdb-ipv4.nft, force: "yes" } + - { src: abuseipdb-ipv6.nft, force: "yes" } + notify: + - restart nftables + - restart fail2ban - - name: Copy nftables update scripts - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /usr/local/bin/{{ item }} - mode: "0755" - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh +- name: Copy nftables update scripts + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /usr/local/bin/{{ item }} + mode: "0755" + owner: root + group: root + loop: + - update-spamhaus-nftables.sh + - aggregate-cidr-addresses.pl + - update-abusech-nftables.sh - - name: Copy nftables systemd units - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /etc/systemd/system/{{ item }} - mode: "0644" - owner: root - group: root - loop: - - update-spamhaus-nftables.service - - update-spamhaus-nftables.timer - - update-abusech-nftables.service - - update-abusech-nftables.timer - register: nftables_systemd_units +- name: Copy nftables systemd units + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/systemd/system/{{ item }} + mode: "0644" + owner: root + group: root + loop: + - update-spamhaus-nftables.service + - update-spamhaus-nftables.timer + - update-abusech-nftables.service + - update-abusech-nftables.timer + register: nftables_systemd_units - # need to reload to pick up service/timer/environment changes - - name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed +# need to reload to pick up service/timer/environment changes +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true + when: nftables_systemd_units is changed - - name: Start and enable nftables update timers - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer +- name: Start and enable nftables update timers + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + loop: + - update-spamhaus-nftables.timer + - update-abusech-nftables.timer - - name: Start and enable nftables - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true +- name: Start and enable nftables + when: ansible_distribution_version is version('20.04', '>=') + ansible.builtin.systemd: + name: nftables + state: started + enabled: true - - ansible.builtin.include_tasks: fail2ban.yml - when: - - ansible_distribution_version is version('16.04', '>=') - tags: firewall +- ansible.builtin.include_tasks: fail2ban.yml + when: + - ansible_distribution_version is version('16.04', '>=') # vim: set sw=2 ts=2: