Alan Orth
197bdf7666
We should only try to start the nftables service after we finish copying all the config files just in case there is some unclean state in one of them. On a first run this shouldn't matter, but after nftables and some abuse list update scripts have run this can happen (mostly in testing!).
124 lines
4.5 KiB
YAML
124 lines
4.5 KiB
YAML
---
|
|
# Ubuntu 20.04 will use nftables directly, with no firewalld.
|
|
# Ubuntu 18.04 will use firewalld with the nftables backend.
|
|
# Ubuntu 16.04 will use firewalld with the iptables backend.
|
|
|
|
- block:
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '<')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Set Ubuntu firewall packages
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- fail2ban
|
|
- libnet-ip-perl # for aggregate-cidr-addresses.pl
|
|
- nftables
|
|
- python3-systemd
|
|
|
|
- name: Install firewall packages
|
|
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
|
|
|
|
- name: Remove ufw
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
apt: pkg=ufw state=absent
|
|
|
|
- name: Copy nftables.conf
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
|
notify:
|
|
- reload nftables
|
|
|
|
- name: Create /etc/nftables extra config directory
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
file: path=/etc/nftables state=directory owner=root mode=0755
|
|
|
|
- name: Copy extra nftables configuration files
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
|
|
loop:
|
|
- spamhaus-ipv4.nft
|
|
- spamhaus-ipv6.nft
|
|
notify:
|
|
- reload nftables
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld ipsets of abusive IPs
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy Spamhaus firewalld update script
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus firewalld systemd units
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_firewalld_systemd_units
|
|
|
|
- name: Copy Spamhaus nftables update scripts
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.sh
|
|
- aggregate-cidr-addresses.pl
|
|
|
|
- name: Copy Spamhaus nftables systemd units
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-nftables.service
|
|
- update-spamhaus-nftables.timer
|
|
register: spamhaus_nftables_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_firewalld_systemd_units is changed or
|
|
spamhaus_nftables_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus firewalld update timer
|
|
when: ansible_distribution_version is version('18.04', '<=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Start and enable Spamhaus nftables update timer
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
|
|
|
|
- name: Start and enable nftables
|
|
when: ansible_distribution_version is version('20.04', '>=')
|
|
systemd: name=nftables state=started enabled=yes
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|