You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

77 lines
1.5KB

  1. ---
  2. - hosts: localhost
  3. connection: local
  4. gather_facts: False
  5. vars:
  6. ip_version:
  7. - ipv4
  8. DROP_SWARM_PORTS:
  9. - port: 3306
  10. comment: mariadb
  11. - port: 24224
  12. comment: fluentd
  13. - port: 2377
  14. comment: docker swarm join
  15. - port: 2376
  16. comment: docker swarm join
  17. - port: 222
  18. comment: gitea ssh
  19. tasks:
  20. ##############################
  21. #
  22. # docker published ports must
  23. # be handled in the DOCKER-USER chain
  24. # which ufw cannot provide
  25. # therefore we use plain iptables
  26. # to block some published ports
  27. #
  28. ##############################
  29. - name: drop fluentd port
  30. become: yes
  31. iptables:
  32. action: insert
  33. chain: DOCKER-USER
  34. protocol: tcp
  35. destination_port: "{{ item.port }}"
  36. jump: DROP
  37. ip_version: ipv4
  38. comment: "{{ item.comment }}"
  39. with_items: "{{ DROP_SWARM_PORTS }}"
  40. - name: limit ssh access
  41. become: yes
  42. ufw:
  43. rule: limit
  44. port: ssh
  45. proto: tcp
  46. - name: allow docker swarm internally
  47. become: yes
  48. ufw:
  49. rule: allow
  50. port: "{{ item }}"
  51. proto: any
  52. src: 10.0.0.0/8
  53. with_items:
  54. - "2377"
  55. - "2376"
  56. - "7946"
  57. - "4789"
  58. - name: allow port 80 and 443
  59. become: yes
  60. ufw:
  61. rule: allow
  62. port: "{{ item }}"
  63. proto: tcp
  64. with_items:
  65. - "80"
  66. - "443"
  67. - name: enable UFW
  68. become: yes
  69. ufw:
  70. state: reloaded