diff --git a/roles/ppm/files/ppmfirewall b/roles/ppm/files/ppmfirewall index a91cf0a..1f63bd8 100644 --- a/roles/ppm/files/ppmfirewall +++ b/roles/ppm/files/ppmfirewall @@ -3,45 +3,20 @@ # PPM Firewall {% for app in otherapps -%} -# App {{ app }} {%- if "firewall" in otherapps[app]["imports"] -%} {%- set oneapp = otherapps[app]["imports"]["firewall"] %} -{%- for redirect in oneapp.redirect %} -{%- if redirect.version == "ipv4" %} -{%- if redirect.ip is defined %} -# Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} -inputinterface=$(ip -o -4 addr show | awk '$3 == "inet" && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}') -iptables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -iptables -t nat -A PREROUTING $inputinterface -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -iptables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -{%- else %} + +{% for redirect in oneapp.redirect %} # Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} -iptables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -{%- endif %} -{%- else %}{# ipv6 #} -{%- if redirect.ip is defined %} -# Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} -inputinterface=$(ip -o -6 addr show | awk '$3 == "inet6" && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}') -ip6tables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -ip6tables -t nat -A PREROUTING -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -ip6tables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -{%- else %} -# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} -ip6tables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT -ip6tables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -ip6tables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} -{%- endif %} -{%- endif %} -{%- endfor %} -{%- for openport in oneapp.open %} -# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }} -{%- if redirect.version == "ipv4" %} -iptables -A INPUT {% if firewall_bindservices_ipv4 is defined %}-s {{firewall_bindservices_ipv4 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT -{%- else %} -ip6tables -A INPUT {% if firewall_bindservices_ipv6 is defined %}-s {{firewall_bindservices_ipv6 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT -{%- endif %} -{%- endfor %} -{%- endif %} +iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT +ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT +iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} +ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} +{% endfor %} +{% for openport in oneapp.open %} +# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }} +iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT +ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT +{% endfor %} +{% endif %} {% endfor %} diff --git a/roles/ppm/tasks/main.yml b/roles/ppm/tasks/main.yml index e0bd451..8a52276 100644 --- a/roles/ppm/tasks/main.yml +++ b/roles/ppm/tasks/main.yml @@ -7,7 +7,7 @@ loop_control: loop_var: ppm_app label: "{{ ppm_app.user }}" - when: ppm_app.on_server == inventory_hostname and ppm_app.enabled | default(true) + when: ppm_app.on_server == inventory_hostname - name: Arrange firewall ansible.builtin.import_tasks: firewall.yml diff --git a/roles/ppm/tasks/oneapp.yml b/roles/ppm/tasks/oneapp.yml index ccfa54c..976e9eb 100644 --- a/roles/ppm/tasks/oneapp.yml +++ b/roles/ppm/tasks/oneapp.yml @@ -2,7 +2,6 @@ ansible.builtin.user: name: "{{ ppm_app.user }}" shell: /bin/bash - home: "{{ ppm_app.homedir | default(omit) }}" register: ppm_app_user # Enabling linger will make systemd start the user-systemd for this user at bootup time @@ -19,23 +18,6 @@ line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)" regexp: ^export XDG_RUNTIME_DIR= -- name: "Ensure ssh configuration directory for user {{ ppm_app.user }}" - ansible.builtin.file: - state: directory - mode: "0700" - path: "{{ ppm_app_user.home }}/.ssh" - owner: "{{ ppm_app_user.name }}" - group: "{{ ppm_app_user.group }}" - -- name: "Place ssh key for user {{ ppm_app.user }}" - ansible.builtin.copy: - src: "{{ ppm_app.sshkey }}" - mode: "0600" - dest: "{{ ppm_app_user.home }}/.ssh/id_rsa" - owner: "{{ ppm_app_user.name }}" - group: "{{ ppm_app_user.group }}" - when: ppm_app.sshkey is defined - - name: "Place configuration ({{ ppm_app.user }})" ansible.builtin.copy: content: "{{ ppm_app.appconfig | dict2items | selectattr('key', 'ne', 'code') | items2dict | to_nice_yaml }}" @@ -74,5 +56,3 @@ - name: Show ppm output ansible.builtin.debug: var: ppm_setupstart - # Also mark it when the actual command changed, so it is easy to find... - changed_when: "'No changes have been made, everything was already ok' not in ppm_setupstart.stdout" diff --git a/roles/ppm/tasks/ppminstall.yml b/roles/ppm/tasks/ppminstall.yml index 3ece19d..022f3e8 100644 --- a/roles/ppm/tasks/ppminstall.yml +++ b/roles/ppm/tasks/ppminstall.yml @@ -10,8 +10,6 @@ - netavark # Required for rootless networking - slirp4netns - # Required for rootless networking - for trixie and above - - passt # podman-compose is also used in many apps we can install - podman-compose # Restic is currently the only supported backup system @@ -23,8 +21,6 @@ - git # Yeah we should use nftables, patches welcome. For now, we install iptables - iptables - # This is used in our zabbix scripts - - netcat-openbsd - name: Create state directory ansible.builtin.file: