Alan Orth
635bb5234d
We have to force these because they are not updated on the host like the other lists (API limit of five requests per day!). We update the list periodically here in git.
134 lines
4.9 KiB
YAML
134 lines
4.9 KiB
YAML
---
|
|
# Ubuntu 20.04 will use nftables directly, with no firewalld.
|
|
# Ubuntu 18.04 will use firewalld with the nftables backend.
|
|
# Ubuntu 16.04 will use firewalld with the iptables backend.
|
|
|
|
- block:
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '<')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- fail2ban
|
|
- libnet-ip-perl # for aggregate-cidr-addresses.pl
|
|
- nftables
|
|
- python3-systemd
|
|
- curl # for nftables update scripts
|
|
|
|
- name: Install firewall packages
|
|
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
|
|
|
|
- name: Remove ufw
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
apt: pkg=ufw state=absent
|
|
|
|
- name: Copy nftables.conf
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
|
notify:
|
|
- restart nftables
|
|
|
|
- name: Create /etc/nftables extra config directory
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
file: path=/etc/nftables state=directory owner=root mode=0755
|
|
|
|
- name: Copy extra nftables configuration files
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
|
|
loop:
|
|
- { src: "spamhaus-ipv4.nft", force: "no" }
|
|
- { src: "spamhaus-ipv6.nft", force: "no" }
|
|
- { src: "abusech-ipv4.nft", force: "no" }
|
|
- { src: "abuseipdb-ipv4.nft", force: "yes" }
|
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
|
notify:
|
|
- restart nftables
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld ipsets of abusive IPs
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy Spamhaus firewalld update script
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus firewalld systemd units
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_firewalld_systemd_units
|
|
|
|
- name: Copy nftables update scripts
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.sh
|
|
- aggregate-cidr-addresses.pl
|
|
- update-abusech-nftables.sh
|
|
|
|
- name: Copy nftables systemd units
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.service
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.service
|
|
- update-abusech-nftables.timer
|
|
register: nftables_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_firewalld_systemd_units is changed or
|
|
nftables_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus firewalld update timer
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Start and enable nftables update timers
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name={{ item }} state=started enabled=yes
|
|
loop:
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.timer
|
|
|
|
- name: Start and enable nftables
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name=nftables state=started enabled=yes
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|