Ansible mail server: dos2unix... remove ipv6, many small updates

master
Jeff Moe 7 years ago
parent d5b4aa8d81
commit 51e428be6d

@ -1,14 +1,14 @@
# Ansible connection configuration # Ansible connection configuration
# It is suggested that this file be encrypted with ansible-vault # It is suggested that this file be encrypted with ansible-vault
ansible_port: 22 ansible_port: 26101
ansible_user: ssh_user ansible_user: jebba
ansible_ssh_private_key_file: /path/to/pem ansible_ssh_private_key_file: /home/jebba/.ssh/id_ed25519
# Uncomment to use SSH password instead of pem key # Uncomment to use SSH password instead of pem key
# If you uncomment this, comment out the key_file line above # If you uncomment this, comment out the key_file line above
#ansible_ssh_pass: mypassword #ansible_ssh_pass: mypassword
# Domain variables required for the playbook # Domain variables required for the playbook
var_domain: forksand.io var_domain: forksand.com
var_mail_domain: mail.forksand.io var_mail_domain: mx1.forksand.com
var_relay_domain: forksand.com var_relay_domain: forksand.com

@ -1,6 +1,7 @@
all: all:
hosts: hosts:
10.0.0.1: # Example host 174.128.244.233: # mx1.forksand.com
# 174.128.244.234: # mx2.forksand.com
# Additional hosts can be specified by adding them below # Additional hosts can be specified by adding them below
#10.0.0.2: # Example host 2. Uncomment line to use #10.0.0.2: # Example host 2. Uncomment line to use

@ -73,4 +73,5 @@
content: | content: |
localhost localhost
127.0.0.0/8 127.0.0.0/8
10.0.2.0/24 174.128.244.233
174.128.244.234

@ -1,3 +1,3 @@
{{ domain }} {{ domain }}
10.0.2.15/255.255.255.0 174.128.244.233
70.39.125.71 174.128.244.234

@ -1,5 +1,5 @@
localhost localhost
127.0.0.0/8 127.0.0.0/8
{{ domain }} {{ domain }}
70.39.125.71 174.128.244.233
10.0.2.0/24 174.128.244.234

@ -19,5 +19,5 @@ service auth {
} }
} }
service auth-worker { service auth-worker {
user = $default_internal_user group = shadow
} }

@ -1,6 +1,5 @@
--- ---
firewall_v4_configure: true firewall_v4_configure: true
firewall_v6_configure: false
firewall_v4_default_rules: firewall_v4_default_rules:
001 default policies: 001 default policies:
@ -11,7 +10,7 @@ firewall_v4_default_rules:
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
200 allow ssh ports: 200 allow ssh ports:
- -A INPUT -p tcp --dport 22 -j ACCEPT - -A INPUT -p tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp --dport 33957 -j ACCEPT - -A INPUT -p tcp --dport 26101 -j ACCEPT
201 allow http port: 201 allow http port:
- -A INPUT -p tcp --dport 80 -j ACCEPT - -A INPUT -p tcp --dport 80 -j ACCEPT
202 allow smtp ports: 202 allow smtp ports:
@ -28,6 +27,3 @@ firewall_v4_default_rules:
firewall_v4_group_rules: {} firewall_v4_group_rules: {}
firewall_v4_host_rules: {} firewall_v4_host_rules: {}
firewall_v6_default_rules: {}
firewall_v6_group_rules: {}
firewall_v6_host_rules: {}

@ -8,15 +8,15 @@
- name: Check if netfilter-persistent is present - name: Check if netfilter-persistent is present
shell: which netfilter-persistent shell: which netfilter-persistent
register: is_netfilter register: is_netfilter
when: v4_script|changed or v6_script|changed when: v4_script|changed
changed_when: false changed_when: false
ignore_errors: yes ignore_errors: yes
check_mode: no check_mode: no
- name: Save rules (netfilter-persistent) - name: Save rules (netfilter-persistent)
command: netfilter-persistent save command: netfilter-persistent save
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 0 when: not ansible_check_mode and v4_script|changed and is_netfilter.rc == 0
- name: Save rules (iptables-persistent) - name: Save rules (iptables-persistent)
command: /etc/init.d/iptables-persistent save command: /etc/init.d/iptables-persistent save
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 1 when: not ansible_check_mode and v4_script|changed and is_netfilter.rc == 1

@ -3,10 +3,6 @@
shell: iptables-save -c > /etc/sysconfig/iptables shell: iptables-save -c > /etc/sysconfig/iptables
when: v4_script|changed when: v4_script|changed
- name: Save v6 rules (/etc/sysconfig/ip6tables)
shell: ip6tables-save -c > /etc/sysconfig/ip6tables
when: v6_script|changed
- name: Ensure iptables service is installed - name: Ensure iptables service is installed
yum: name=iptables-services state=present update_cache=yes yum: name=iptables-services state=present update_cache=yes
when: ansible_distribution_major_version >= '7' when: ansible_distribution_major_version >= '7'
@ -17,7 +13,3 @@
- name: Ensure iptables service is enabled & started - name: Ensure iptables service is enabled & started
service: name=iptables enabled=yes state=started service: name=iptables enabled=yes state=started
- name: Ensure ip6tables service is enabled & started
service: name=ip6tables enabled=yes state=started
when: firewall_v6_configure

@ -13,16 +13,3 @@
'Table does not exist' in v4_script_load_result.stderr 'Table does not exist' in v4_script_load_result.stderr
when: v4_script|changed when: v4_script|changed
- name: Generate v6 rules
template: src=generated.v6.j2 dest=/etc/iptables.v6.generated owner=root group=root mode=755
register: v6_script
when: firewall_v6_configure
- name: Load v6 rules
command: /etc/iptables.v6.generated
register: v6_script_load_result
failed_when: >-
v6_script_load_result.rc != 0 or
'unknown option' in v6_script_load_result.stderr or
'Table does not exist' in v6_script_load_result.stderr
when: v6_script|changed

@ -1,26 +0,0 @@
#!/bin/sh
# {{ ansible_managed }}
{% set merged = firewall_v6_default_rules.copy() %}
{% set _ = merged.update(firewall_v6_group_rules) %}
{% set _ = merged.update(firewall_v6_host_rules) %}
# flush rules & delete user-defined chains
ip6tables -F
ip6tables -X
ip6tables -t raw -F
ip6tables -t raw -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
{% for group, rules in merged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
ip6tables {{ rule }}
{% endfor %}
{% endfor %}

@ -4,8 +4,6 @@
roles: roles:
- role: . - role: .
firewall_v6_configure: true
firewall_v4_group_rules: firewall_v4_group_rules:
400 allow http: 400 allow http:
- -A INPUT -p tcp --dport http -j ACCEPT - -A INPUT -p tcp --dport http -j ACCEPT
@ -14,14 +12,6 @@
firewall_v4_host_rules: firewall_v4_host_rules:
400 allow 7890: [] 400 allow 7890: []
firewall_v6_group_rules:
400 allow http:
- -A INPUT -p tcp --dport http -j ACCEPT
400 allow 7890:
- -A INPUT -p tcp --dport 7890 -j ACCEPT
firewall_v6_host_rules:
400 allow 7890: []
tasks: tasks:
- name: Retrieve v4 rules - name: Retrieve v4 rules
command: iptables -L -n command: iptables -L -n
@ -45,24 +35,3 @@
that: "'tcp dpt:7890' not in v4_rules.stdout" that: "'tcp dpt:7890' not in v4_rules.stdout"
when: not ansible_check_mode when: not ansible_check_mode
- name: Retrieve v6 rules
command: ip6tables -L -n
changed_when: false
register: v6_rules
when: not ansible_check_mode
- name: Check that INPUT policy has been applied
assert:
that: "'Chain INPUT (policy DROP' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that a default rule has been applied
assert:
that: "'tcp dpt:22' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that a group rule has been applied
assert:
that: "'tcp dpt:80' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that deleted rules are deleted
assert:
that: "'tcp dpt:7890' not in v6_rules.stdout"
when: not ansible_check_mode

@ -1,3 +1,3 @@
root: jebba root: jebba
jebba: jebba-mail@{{ relay_domain }} #jebba: jebba-mail@{{ relay_domain }}
nobody: /dev/null nobody: /dev/null
Loading…
Cancel
Save