Alan Orth
479127a5e4
We used to use reload, but now the idempotent thing to do is to use restart instead of reload.
149 lines
5.3 KiB
YAML
149 lines
5.3 KiB
YAML
---
|
|
# Debian 11 will use nftables directly, with no firewalld.
|
|
|
|
- block:
|
|
- name: Set Debian firewall packages
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
set_fact:
|
|
debian_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Set Debian firewall packages
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
set_fact:
|
|
debian_firewall_packages:
|
|
- fail2ban
|
|
- libnet-ip-perl # for aggregate-cidr-addresses.pl
|
|
- nftables
|
|
- python3-systemd
|
|
- curl # for nftables update scripts
|
|
|
|
- name: Install firewall packages
|
|
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
|
|
|
|
- name: Copy nftables.conf
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
|
notify:
|
|
- restart nftables
|
|
|
|
- name: Create /etc/nftables extra config directory
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
file: path=/etc/nftables state=directory owner=root mode=0755
|
|
|
|
- name: Copy extra nftables configuration files
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
|
|
loop:
|
|
- spamhaus-ipv4.nft
|
|
- spamhaus-ipv6.nft
|
|
- abusech-ipv4.nft
|
|
- abuseipdb-ipv4.nft
|
|
- abuseipdb-ipv6.nft
|
|
notify:
|
|
- restart nftables
|
|
|
|
- name: Use iptables backend in firewalld
|
|
when: ansible_distribution_major_version is version('10', '==')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^FirewallBackend=nftables$'
|
|
line: 'FirewallBackend=iptables'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
|
# backend. Using individual calls seems to work around it.
|
|
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
|
|
- name: Use individual iptables calls
|
|
when: ansible_distribution_major_version is version('10', '==')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^IndividualCalls=no$'
|
|
line: 'IndividualCalls=yes'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld ipsets of abusive IPs
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy Spamhaus firewalld update script
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus firewalld systemd units
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_firewalld_systemd_units
|
|
|
|
- name: Copy Spamhaus nftables update scripts
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.sh
|
|
- aggregate-cidr-addresses.pl
|
|
- update-abusech-nftables.sh
|
|
|
|
- name: Copy nftables systemd units
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.service
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.service
|
|
- update-abusech-nftables.timer
|
|
register: nftables_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_firewalld_systemd_units is changed or
|
|
nftables_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus firewalld update timer
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Start and enable nftables update timers
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
systemd: name={{ item }} state=started enabled=yes
|
|
loop:
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.timer
|
|
|
|
- name: Start and enable nftables
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
systemd: name=nftables state=started enabled=yes
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_major_version is version('9', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|