ppm/ansible-ppm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: ppm:c34b3c1d0f3f911b35fbe4adbe3c81a7942ed7a2
Branches Tags
ppm:main
..
compare: ppm:bb5ee5085f7f8724b74b3cd50ba274e009b71475
Branches Tags
ppm:main

No commits in common. "c34b3c1d0f3f911b35fbe4adbe3c81a7942ed7a2" and "bb5ee5085f7f8724b74b3cd50ba274e009b71475" have entirely different histories.
c34b3c1d0f ... bb5ee5085f

4 changed files with 14 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

51
roles/ppm/files/ppmfirewall
View file

@ -3,45 +3,20 @@
# PPM Firewall # PPM Firewall
{% for app in otherapps -%} {% for app in otherapps -%}
# App {{ app }}
{%- if "firewall" in otherapps[app]["imports"] -%} {%- if "firewall" in otherapps[app]["imports"] -%}
{%- set oneapp = otherapps[app]["imports"]["firewall"] %} {%- set oneapp = otherapps[app]["imports"]["firewall"] %}
{%- for redirect in oneapp.redirect %}
{%- if redirect.version == "ipv4" %} {% for redirect in oneapp.redirect %}
{%- if redirect.ip is defined %}
# Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }}
inputinterface=$(ip -o -4 addr show | awk '$3 == "inet" && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}')
iptables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
iptables -t nat -A PREROUTING $inputinterface -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
iptables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
{%- else %}
# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} # Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }}
iptables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
{%- endif %} ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
{%- else %}{# ipv6 #} {% endfor %}
{%- if redirect.ip is defined %} {% for openport in oneapp.open %}
# Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }} # Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
inputinterface=$(ip -o -6 addr show | awk '$3 == "inet6" && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}') iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
ip6tables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
ip6tables -t nat -A PREROUTING -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} {% endfor %}
ip6tables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }} {% endif %}
{%- else %}
# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }}) for {{ app }}
ip6tables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
ip6tables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
ip6tables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- for openport in oneapp.open %}
# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
{%- if redirect.version == "ipv4" %}
iptables -A INPUT {% if firewall_bindservices_ipv4 is defined %}-s {{firewall_bindservices_ipv4 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
{%- else %}
ip6tables -A INPUT {% if firewall_bindservices_ipv6 is defined %}-s {{firewall_bindservices_ipv6 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
{%- endif %}
{%- endfor %}
{%- endif %}
{% endfor %} {% endfor %}

2
roles/ppm/tasks/main.yml
View file

@ -7,7 +7,7 @@
loop_control: loop_control:
loop_var: ppm_app loop_var: ppm_app
label: "{{ ppm_app.user }}" label: "{{ ppm_app.user }}"
when: ppm_app.on_server == inventory_hostname and ppm_app.enabled | default(true) when: ppm_app.on_server == inventory_hostname
- name: Arrange firewall - name: Arrange firewall
ansible.builtin.import_tasks: firewall.yml ansible.builtin.import_tasks: firewall.yml

20
roles/ppm/tasks/oneapp.yml
View file

@ -2,7 +2,6 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ ppm_app.user }}" name: "{{ ppm_app.user }}"
shell: /bin/bash shell: /bin/bash
home: "{{ ppm_app.homedir | default(omit) }}"
register: ppm_app_user register: ppm_app_user
# Enabling linger will make systemd start the user-systemd for this user at bootup time # Enabling linger will make systemd start the user-systemd for this user at bootup time
@ -19,23 +18,6 @@
line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)" line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)"
regexp: ^export XDG_RUNTIME_DIR= regexp: ^export XDG_RUNTIME_DIR=
- name: "Ensure ssh configuration directory for user {{ ppm_app.user }}"
ansible.builtin.file:
state: directory
mode: "0700"
path: "{{ ppm_app_user.home }}/.ssh"
owner: "{{ ppm_app_user.name }}"
group: "{{ ppm_app_user.group }}"
- name: "Place ssh key for user {{ ppm_app.user }}"
ansible.builtin.copy:
src: "{{ ppm_app.sshkey }}"
mode: "0600"
dest: "{{ ppm_app_user.home }}/.ssh/id_rsa"
owner: "{{ ppm_app_user.name }}"
group: "{{ ppm_app_user.group }}"
when: ppm_app.sshkey is defined
- name: "Place configuration ({{ ppm_app.user }})" - name: "Place configuration ({{ ppm_app.user }})"
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ ppm_app.appconfig | dict2items | selectattr('key', 'ne', 'code') | items2dict | to_nice_yaml }}" content: "{{ ppm_app.appconfig | dict2items | selectattr('key', 'ne', 'code') | items2dict | to_nice_yaml }}"
@ -74,5 +56,3 @@
- name: Show ppm output - name: Show ppm output
ansible.builtin.debug: ansible.builtin.debug:
var: ppm_setupstart var: ppm_setupstart
# Also mark it when the actual command changed, so it is easy to find...
changed_when: "'No changes have been made, everything was already ok' not in ppm_setupstart.stdout"

4
roles/ppm/tasks/ppminstall.yml
View file

@ -10,8 +10,6 @@
- netavark - netavark
# Required for rootless networking # Required for rootless networking
- slirp4netns - slirp4netns
# Required for rootless networking - for trixie and above
- passt
# podman-compose is also used in many apps we can install # podman-compose is also used in many apps we can install
- podman-compose - podman-compose
# Restic is currently the only supported backup system # Restic is currently the only supported backup system
@ -23,8 +21,6 @@
- git - git
# Yeah we should use nftables, patches welcome. For now, we install iptables # Yeah we should use nftables, patches welcome. For now, we install iptables
- iptables - iptables
# This is used in our zabbix scripts
- netcat-openbsd
- name: Create state directory - name: Create state directory
ansible.builtin.file: ansible.builtin.file: