Alan Orth
df26b6c17e
We should always restart fail2ban after updating the firewall. Also note that the order of execution of handlers depends on how they are defined in the handler config, not on the order they are listed in the task's notify statement. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
139 lines
5.0 KiB
YAML
139 lines
5.0 KiB
YAML
---
|
|
# Ubuntu 20.04 will use nftables directly, with no firewalld.
|
|
# Ubuntu 18.04 will use firewalld with the nftables backend.
|
|
# Ubuntu 16.04 will use firewalld with the iptables backend.
|
|
|
|
- block:
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '<')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- fail2ban
|
|
- libnet-ip-perl # for aggregate-cidr-addresses.pl
|
|
- nftables
|
|
- python3-systemd
|
|
- curl # for nftables update scripts
|
|
|
|
- name: Install firewall packages
|
|
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
|
|
|
|
- name: Remove ufw
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
apt: pkg=ufw state=absent
|
|
|
|
- name: Copy nftables.conf
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
|
notify:
|
|
- restart nftables
|
|
- restart fail2ban
|
|
|
|
- name: Create /etc/nftables extra config directory
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
file: path=/etc/nftables state=directory owner=root mode=0755
|
|
|
|
- name: Copy extra nftables configuration files
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
|
|
loop:
|
|
- { src: "spamhaus-ipv4.nft", force: "no" }
|
|
- { src: "spamhaus-ipv6.nft", force: "no" }
|
|
- { src: "abusech-ipv4.nft", force: "no" }
|
|
- { src: "abuseipdb-ipv4.nft", force: "yes" }
|
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
|
notify:
|
|
- restart nftables
|
|
- restart fail2ban
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
- restart fail2ban
|
|
|
|
- name: Copy firewalld ipsets of abusive IPs
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
- restart fail2ban
|
|
|
|
- name: Copy Spamhaus firewalld update script
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus firewalld systemd units
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_firewalld_systemd_units
|
|
|
|
- name: Copy nftables update scripts
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.sh
|
|
- aggregate-cidr-addresses.pl
|
|
- update-abusech-nftables.sh
|
|
|
|
- name: Copy nftables systemd units
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.service
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.service
|
|
- update-abusech-nftables.timer
|
|
register: nftables_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_firewalld_systemd_units is changed or
|
|
nftables_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus firewalld update timer
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
notify:
|
|
- restart firewalld
|
|
- restart fail2ban
|
|
|
|
- name: Start and enable nftables update timers
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name={{ item }} state=started enabled=yes
|
|
loop:
|
|
- update-spamhaus-nftables.timer
|
|
- update-abusech-nftables.timer
|
|
|
|
- name: Start and enable nftables
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name=nftables state=started enabled=yes
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|