Alan Orth
a67d901641
For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key.
149 lines
5.3 KiB
YAML
149 lines
5.3 KiB
YAML
---
|
|
# Debian 11 will use nftables directly, with no firewalld.
|
|
|
|
- block:
|
|
- name: Set Debian firewall packages
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
set_fact:
|
|
debian_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Set Debian firewall packages
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
set_fact:
|
|
debian_firewall_packages:
|
|
- fail2ban
|
|
- libnet-ip-perl # for aggregate-cidr-addresses.pl
|
|
- nftables
|
|
- python3-systemd
|
|
- curl # for nftables update scripts
|
|
|
|
- name: Install firewall packages
|
|
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
|
|
|
|
- name: Copy nftables.conf
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
|
notify:
|
|
- reload nftables
|
|
|
|
- name: Create /etc/nftables extra config directory
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
file: path=/etc/nftables state=directory owner=root mode=0755
|
|
|
|
- name: Copy extra nftables configuration files
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
|
|
loop:
|
|
- spamhaus-ipv4.nft
|
|
- spamhaus-ipv6.nft
|
|
- abusech-ipv4.nft
|
|
- abuseipdb-ipv4.nft
|
|
- abuseipdb-ipv6.nft
|
|
notify:
|
|
- reload nftables
|
|
|
|
- name: Use iptables backend in firewalld
|
|
when: ansible_distribution_major_version is version('10', '==')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^FirewallBackend=nftables$'
|
|
line: 'FirewallBackend=iptables'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
|
# backend. Using individual calls seems to work around it.
|
|
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
|
|
- name: Use individual iptables calls
|
|
when: ansible_distribution_major_version is version('10', '==')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^IndividualCalls=no$'
|
|
line: 'IndividualCalls=yes'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld ipsets of abusive IPs
|
|
when: ansible_distribution_major_version is version('10', '<=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy Spamhaus firewalld update script
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus firewalld systemd units
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_firewalld_systemd_units
|
|
|
|
- name: Copy Spamhaus nftables update scripts
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.sh
|
|
- aggregate-cidr-addresses.pl
|
|
- update-abusech-nftables.sh
|
|
|
|
- name: Copy nftables systemd units
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.service
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.service
|
|
- update-abusech-nftables.timer
|
|
register: nftables_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_firewalld_systemd_units is changed or
|
|
nftables_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus firewalld update timer
|
|
when: ansible_distribution_version is version('10', '<=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Start and enable nftables update timers
|
|
when: ansible_distribution_version is version('11', '>=')
|
|
systemd: name={{ item }} state=started enabled=yes
|
|
loop:
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.timer
|
|
|
|
- name: Start and enable nftables
|
|
when: ansible_distribution_major_version is version('11', '>=')
|
|
systemd: name=nftables state=started enabled=yes
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_major_version is version('9', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|