ansible-ufw-config
Configuration de UFW avec ansible weareinteractive.ufw role.
Dans ce tutoriel nous allons voir comment faire une configuration de ufw le pare-feu dans Ubuntu , linux.
Vous pouvez en savoir plus sur ufw !ufw
Avec ansible je vais vous démontrez comment faire une configuration de ufw avec un rôle weareinteractive.ufw
Ansible weareinteractive.ufw role
Conditions générales
- Un serveur Ubuntu ou Debian
- ansible doit être installer dans la machine master.
- configuration services
- configuration des règles ufw.
- Initier le rôle weareinteractive.ufw avec ansible-galaxy
Dans votre dossier projet ex: ansible-ufw Taper cette commande:
ansible-galaxy init roles/weareinteractive.ufw
- Configuration du role weareinteractive.ufw
Ici nous allons faire la configuration du role.
cd roles/weareinteractive.ufw
Configuration playbook weareinteractive.ufw
Dans le dossier default
- Premère étape: /roles/weareinteractive.ufw/default/main.yml
---
# Start the service and enable it on system boot
ufw_enabled: true
# List of packages to install
ufw_packages: ["ufw"]
# The service name
ufw_service: ufw
# List of rules to be applied
# see https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html for documentation
ufw_rules:
- rule: allow
to_port: 22
# Manage the configuration file
ufw_manage_config: false
# Configuration object passed to the configuration file
ufw_config:
IPV6: "yes"
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: "no"
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ""
# Path to the configuration file
ufw_config_file: /etc/default/ufw
- Dossier handlers/main.yml
---
- name: reset ufw
community.general.ufw:
state: reset
- name: reload ufw
community.general.ufw:
state: reloaded
when: ufw_enabled | bool
- Config du fichier meta/main.yml
---
dependencies: []
galaxy_info:
author: franklin
company: We Are Interactive
description: Installs and configures ufw
min_ansible_version: "2.10"
license: MIT
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
galaxy_tags:
- system
- firewall
- security
- network
- ufw
- Dans le dossier molecule/default/converge.yml
---
- name: Converge
hosts: all
become: true
collections:
- community.general
vars:
ufw_enabled: false
ufw_rules: []
pre_tasks:
- name: Update apt cache.
apt:
update_cache: true
cache_valid_time: 600
when: ansible_os_family == 'Debian'
roles:
- weareinteractive.ufw
- Dans le dossier molecule/default/molecule.yml
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu2004}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
capabilities: ['NET_ADMIN']
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
verifier:
name: ansible
- Configuration des tâches
Créer des fichiers qui seront exécutés ensuite.
- config.yml
- install.yml
- main.yml
- manage.yml
- service.yml
- config.yml
---
- name: Configuring service
template:
src: "{{ ufw_config_file | basename }}.j2"
dest: "{{ ufw_config_file }}"
mode: 0644
notify: reload ufw
when: ufw_manage_config | bool
- install.yml
--
- name: Installing packages
package:
name: "{{ item }}"
state: present
with_items: "{{ ufw_packages }}"
- manage.yml
---
- name: Applying rules
community.general.ufw:
comment: "{{ item.comment | default(omit) }}"
default: "{{ item.default | default(omit) }}"
delete: "{{ item.delete | default(omit) }}"
direction: "{{ item.direction | default(omit) }}"
from_ip: "{{ item.from_ip | default(omit) }}"
from_port: "{{ item.from_port | default(omit) }}"
insert: "{{ item.insert | default(omit) }}"
insert_relative_to: "{{ item.insert_relative_to | default(omit) }}"
interface: "{{ item.interface | default(omit) }}"
interface_in: "{{ item.interface_in | default(omit) }}"
interface_out: "{{ item.interface_out | default(omit) }}"
log: "{{ item.log | default(omit) }}"
logging: "{{ item.logging | default(omit) }}"
name: "{{ item.name | default(omit) }}"
proto: "{{ item.proto | default(omit) }}"
route: "{{ item.route | default(omit) }}"
rule: "{{ item.rule | default(omit) }}"
to_ip: "{{ item.to_ip | default(omit) }}"
to_port: "{{ item.to_port | default(omit) }}"
with_items: "{{ ufw_rules }}"
- service.yml
---
- name: Configuring service state
community.general.ufw:
state: "{{ 'enabled' if ufw_enabled else 'disabled' }}"
- main.yml
---
- import_tasks: install.yml
- import_tasks: service.yml
- import_tasks: config.yml
- import_tasks: manage.yml
- Dans la partie tamplate du role /template/ufw.j2
On va ajouter ce code:
# {{ ansible_managed }}
{% for key, value in ufw_config.items() %}
{{ key }}={{ value }}
{% endfor %}
Configuration Playbook
# @see https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html#examples
---
- hosts: all
become: true
roles:
- weareinteractive.ufw
vars:
ufw_rules:
# Set loggin
- logging: "full"
# Allow OpenSSH
- rule: allow
name: OpenSSH
# Delete OpenSSH rule
- rule: allow
name: OpenSSH
delete: true
# Allow all access to tcp port 80
- rule: allow
to_port: '80'
proto: tcp
# Manage the configuration file
ufw_manage_config: true
# Configuration object passed to the configuration file
ufw_config:
IPV6: "yes"
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: "no"
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ""
Run ansible playbook
ansible-playbook -i hosts playbook-ufw.yml