commit 3b698b913383c240c8bd83c1b4bc96733271a0f4 Author: decentral1se Date: Mon May 30 14:02:36 2022 +0200 init diff --git a/.ansible-lint.yml b/.ansible-lint.yml new file mode 100644 index 0000000..25636f8 --- /dev/null +++ b/.ansible-lint.yml @@ -0,0 +1,4 @@ +--- +skip_list: + - fqcn-builtins + - experimental diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..e99fc25 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,16 @@ +---- +kind: pipeline +name: default +steps: + - name: integration test + image: python:3.9-buster + environment: + REMOTE_USER: molecule + HCLOUD_TOKEN: + from_secret: HCLOUD_TOKEN + commands: + - apt update && apt install -y pwgen + - mkdir -p /root/.ansible/roles && ln -sr . /root/.ansible/roles/autonomic.ufw + - export INSTANCE_UUID=$(pwgen 8 1) + - pip install -r requirements.txt + - molecule test diff --git a/.envrc.sample b/.envrc.sample new file mode 100644 index 0000000..8a266bf --- /dev/null +++ b/.envrc.sample @@ -0,0 +1,18 @@ +# Your username that you use for accounts on our machines. +export REMOTE_USER= +export ANSIBLE_USER=$REMOTE_USER + +# The path to our pass credentials store +export PASSWORD_STORE_DIR= + +# The Hetzner Cloud API token for managing our instances +# Uncomment the prod/test line below depending on what you're doing +# export HCLOUD_TOKEN=$(pass show logins/hetzner/prod/api_key) +# export HCLOUD_TOKEN=$(pass show logins/hetzner/test/api_key) +export HCLOUD_TOKEN=$(pass show logins/hetzner/cicd/api_key) + +# For molecule role testing +export INSTANCE_UUID=$RANDOM + +# So molecule will show credentials in the logs +export MOLECULE_NO_LOG=False diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100755 index 0000000..456c99c --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,16 @@ +--- +extends: default + +yaml-files: + - "*.yaml" + - "*.yml" + +ignore: | + .venv + .drone.yml + +rules: + line-length: disable + braces: + max-spaces-inside: 1 + level: error diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..a1293f3 --- /dev/null +++ b/LICENSE @@ -0,0 +1,15 @@ +autonomic.ufw: Configures an allow/block list on the firewall using UFW +Copyright (C) 2022 Autonomic Co-operative + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . diff --git a/README.md b/README.md new file mode 100644 index 0000000..e8bae52 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# autonomic.ufw + +[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.ufw/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.ufw) diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..dd0782b --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,8 @@ +--- +ufw_disallow_ports: + - "22" # blocking the known SSH defaults + +ufw_allow_ports: + - "222" # default Autonomic SSH port + - "443" # default webserver SSL port + - "80" # default webserver clear net port diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..de2de22 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart ufw + become: true + service: + name: ufw + state: restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..06288e3 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,17 @@ +--- +dependencies: [] +galaxy_info: + role_name: ufw + namespace: autonomic + author: autonomic + description: | + Configures an allow/block list on the firewall using UFW, the + "uncomplicated firewall", which is a more user friendly front-end for + iptables. + company: Autonomic + license: GPLv3 + min_ansible_version: 2.9 + platforms: + - name: Debian + versions: + - buster diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..4a818d9 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: autonomic.ufw diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..f1a32bf --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,19 @@ +--- +dependency: + name: galaxy + +driver: + name: hetznercloud + +platforms: + - name: "autonomic.ufw-${INSTANCE_UUID}" + server_type: cx11 + image: debian-10 + +provisioner: + name: ansible + +lint: | + set -e + yamllint -c .yamllint.yml . + ansible-lint --exclude .drone.yml -c .ansible-lint.yml . diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..7d6c96a --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +ansible-lint==6.0.0 +ansible==5.4.0 +molecule-hetznercloud==1.3.0 +molecule==3.6.1 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..ab819b2 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Update the package cache + apt: + update_cache: true + cache_valid_time: 3600 + +- name: Install ufw + apt: + name: ufw + +- name: "Allow access on ports: {{ ufw_allow_ports | join(' ') }}" + ufw: + rule: allow + port: "{{ item }}" + proto: tcp + state: enabled + with_items: "{{ ufw_allow_ports }}" + notify: Restart ufw + +- name: "Disallow access on ports: {{ ufw_disallow_ports | join(' ') }}" + ufw: + rule: deny + port: "{{ item }}" + with_items: "{{ ufw_disallow_ports }}" + notify: Restart ufw + +- name: Default policy deny + ufw: + policy: deny + +- name: Enable the firewall + ufw: + state: enabled