diff options
Diffstat (limited to 'roles/common')
| -rw-r--r-- | roles/common/tasks/main.yml | 2 | ||||
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 55c1489..fc692fa 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,39 +1,39 @@ --- - import_tasks: sysctl.yml tags: sysctl - import_tasks: hosts.yml - import_tasks: apt.yml tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" tags: intel - import_tasks: firewall.yml tags: - firewall - iptables - nftables - import_tasks: stunnel.yml tags: stunnel - when: "'webmail' in group_names and 'LDAP-provider' not in group_names" + when: "'webmail' in group_names and 'LDAP_provider' not in group_names" - import_tasks: auditd.yml tags: auditd - import_tasks: unbound.yml tags: - unbound - dns when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" - import_tasks: rkhunter.yml tags: rkhunter - import_tasks: clamav.yml tags: clamav - import_tasks: fail2ban.yml tags: fail2ban - import_tasks: smart.yml tags: - smartmontools - smart when: "not ansible_virtualization_role == 'guest'" - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 098a66d..fc7691a 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -1,52 +1,52 @@ #!/usr/sbin/nft -f define in-tcp-ports = { {{ ansible_port|default(22) }} {% if 'MX' in group_names %} , 25 # SMTP {% endif %} -{% if 'LDAP-provider' in group_names %} +{% if 'LDAP_provider' in group_names %} , 636 # ldaps {% endif %} {% if 'IMAP' in group_names %} , 993 # imaps , 4190 # ManageSieve {% endif %} {% if 'MSA' in group_names %} , 587 # submission [RFC4409] , 465 # submission over TLS [RFC8314] {% endif %} {% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %} , 80 # HTTP , 443 # HTTP over SSL/TLS {% endif %} } define out-tcp-ports = { 22 , 80 # HTTP , 443 # HTTP over SSL/TLS {% if 'out' in group_names or 'MSA' in group_names %} , 25 # SMTP {% endif %} -{% if 'LDAP-provider' in group_names %} +{% if 'LDAP_provider' in group_names %} , 11371 # OpenPGP HTTP Keyserver , 43 # whois {% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %} , 636 # ldaps {% endif %} {% if 'IMAP' in group_names %} , 2703 # Razor2 {% endif %} } ############################################################################### flush ruleset table inet filter { # blackholes set fail2ban { type ipv4_addr; timeout 10m; } set fail2ban6 { type ipv6_addr; timeout 10m; } |