58 lines
1.1 KiB
YAML
58 lines
1.1 KiB
YAML
---
|
|
- name: install ufw arch
|
|
become: true
|
|
community.general.pacman:
|
|
name: "{{ firewall_package }}"
|
|
state: latest
|
|
update_cache: true
|
|
when:
|
|
- ansible_os_family == 'Arch'
|
|
|
|
- name: start ufw in allow mode
|
|
become: true
|
|
community.general.ufw:
|
|
policy: allow
|
|
state: enabled
|
|
|
|
- name: start and enable ufw service
|
|
become: true
|
|
ansible.builtin.service:
|
|
name: ufw.service
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: add ssh rules
|
|
become: true
|
|
community.general.ufw:
|
|
comment: SSH access
|
|
rule: allow
|
|
to_port: '22'
|
|
proto: tcp
|
|
interface: "{{ firewall_ssh_interface }}"
|
|
direction: in
|
|
src: "{{ item }}"
|
|
loop:
|
|
- 192.168.20.0/24
|
|
- 192.168.72.0/24
|
|
- 2406:e001:a:cb20::/64
|
|
|
|
- name: add spice rules
|
|
become: true
|
|
community.general.ufw:
|
|
comment: SPICE access to guests
|
|
rule: allow
|
|
to_port: 5901:5904
|
|
proto: tcp
|
|
interface: "{{ firewall_spice_interface }}"
|
|
direction: in
|
|
src: '{{ item }}'
|
|
loop:
|
|
- 192.168.20.0/24
|
|
- 192.168.72.0/24
|
|
- 2406:e001:a:cb20::/64
|
|
|
|
- name: restore default deny policy
|
|
become: true
|
|
community.general.ufw:
|
|
policy: deny
|
|
logging: low |