diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml
index 7977f76..615739d 100644
--- a/library/bootstrap-roles/centos-common/meta/main.yml
+++ b/library/bootstrap-roles/centos-common/meta/main.yml
@@ -6,9 +6,19 @@ dependencies:
- role: '../../library/roles/sshd_config'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
- { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
- - role: '../../library/centos/roles/firewalld'
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
+ version: master
+ name: linux-firewall
+ state: latest
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
+ version: master
+ name: letsencrypt-acme-sh-client
+ state: latest
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+ version: master
+ name: zabbix-agent
+ state: latest
+ when: zabbix_agent_install is defined and zabbix_agent_install
- role: '../../library/centos/roles/fail2ban'
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
- - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
- - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
- { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled }
diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
index a4cc33f..f3d25fc 100644
--- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
+++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
@@ -4,9 +4,19 @@ dependencies:
- role: '../../library/roles/rsyslog'
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
- role: '../../library/roles/tmpreaper'
- - role: '../../library/roles/iptables'
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
+ version: master
+ name: linux-firewall
+ state: latest
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
- role: '../../library/roles/sshd_config'
- - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
- - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
+ version: master
+ name: letsencrypt-acme-sh-client
+ state: latest
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+ version: master
+ name: zabbix-agent
+ state: latest
+ when: zabbix_agent_install is defined and zabbix_agent_install
- { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }
diff --git a/library/centos/roles/firewalld/defaults/main.yml b/library/centos/roles/firewalld/defaults/main.yml
deleted file mode 100644
index 04cf069..0000000
--- a/library/centos/roles/firewalld/defaults/main.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-firewalld_enabled: True
-firewalld_default_zone: public
-firewalld_ssh_enabled_on_default_zone: True
-
-firewalld_rules:
-# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
-# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
-# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
-
-#firewalld_new_services:
-# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
-
-# We execute direct rules as they are written
-# firewalld_direct_rules:
-# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
-
-# firewalld_zones_interfaces:
-# - { interface: 'eth1', zone: 'internal' }
diff --git a/library/centos/roles/firewalld/files/mosh.xml b/library/centos/roles/firewalld/files/mosh.xml
deleted file mode 100644
index eccc3d7..0000000
--- a/library/centos/roles/firewalld/files/mosh.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
- Mosh SSH service
- This allows mosh to send and receive datagram connections.
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/library/centos/roles/firewalld/files/traceroute.xml b/library/centos/roles/firewalld/files/traceroute.xml
deleted file mode 100644
index 7d2ad90..0000000
--- a/library/centos/roles/firewalld/files/traceroute.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-
-
- ports needed by traceroute
- This allows the host to be reached by traceroute.
-
-
-
diff --git a/library/centos/roles/firewalld/handlers/main.yml b/library/centos/roles/firewalld/handlers/main.yml
deleted file mode 100644
index ebb482e..0000000
--- a/library/centos/roles/firewalld/handlers/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: Enable and start firewalld
- service: name=firewalld state=started enabled=yes
- when: firewalld_enabled
-
-- name: Reload firewall config
- command: firewall-cmd --reload
- notify: Restart fail2ban
- when: firewalld_enabled
-
-- name: Restart fail2ban
- service: name=fail2ban state=restarted
- when:
- - fail2ban_enabled is defined and fail2ban_enabled
- - centos_install_epel
-
diff --git a/library/centos/roles/firewalld/tasks/disable_firewalld.yml b/library/centos/roles/firewalld/tasks/disable_firewalld.yml
deleted file mode 100644
index 24b4d9e..0000000
--- a/library/centos/roles/firewalld/tasks/disable_firewalld.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: Ensure that the firewalld service is stopped and disabled if we do not want it
- service: name=firewalld state=stopped enabled=no
- when: not firewalld_enabled | bool
- tags: [ 'iptables', 'firewall', 'firewalld' ]
diff --git a/library/centos/roles/firewalld/tasks/firewalld_rules.yml b/library/centos/roles/firewalld/tasks/firewalld_rules.yml
deleted file mode 100644
index b8c7b1c..0000000
--- a/library/centos/roles/firewalld/tasks/firewalld_rules.yml
+++ /dev/null
@@ -1,91 +0,0 @@
----
-- block:
- - name: Ensure that the service is enabled and started
- service: name=firewalld state=started enabled=yes
- notify: Restart fail2ban
-
- - name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
- firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
- when: firewalld_ssh_enabled_on_default_zone | bool
-
- - name: Set the firewalld default zone.
- command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
-
- - name: Add sources to the availability zones, if any
- firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
- with_items: '{{ firewalld_src_rules | default([]) }}'
-
- - name: Assign interfaces to firewalld zones if needed
- firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
- with_items: '{{ firewalld_zones_interfaces | default([]) }}'
- when:
- - firewalld_zones_interfaces is defined
- - item.interface is defined
- - item.zone is defined
-
- - name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
- firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
- with_items: '{{ firewalld_rules }}'
- when:
- - firewalld_rules is defined
- - item.service is defined
-
- - name: Save the ports firewalld rules that need to be permanent
- firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
- with_items: '{{ firewalld_rules }}'
- when:
- - firewalld_rules is defined
- - item.port is defined
- - item.protocol is defined
-
- - name: Save the rich_rules firewalld rules that need to be permanent
- firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
- with_items: '{{ firewalld_rules }}'
- when:
- - firewalld_rules is defined
- - item.rich_rule is defined
- notify: Reload firewall config
-
- - name: Enable the firewall-cmd direct passthrough rules
- shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
- with_items: '{{ firewalld_direct_rules }}'
- args:
- creates: /etc/firewalld/.{{ item.label }}
- when:
- - firewalld_direct_rules is defined
- - item.action is defined
-
- - name: Set the firewall-cmd direct passthrough rules as permanent ones
- command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
- with_items: '{{ firewalld_direct_rules }}'
- when:
- - firewalld_direct_rules is defined
- - item.action is defined
-
- - name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
- command: firewall-cmd --new-service={{ item.name }} --permanent
- args:
- creates: '/etc/firewalld/services/{{ item.name }}.xml'
- with_items: '{{ firewalld_new_services }}'
- when: firewalld_new_services is defined
- notify: Reload firewall config
-
- - name: Install the custom firewall services
- copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
- with_items: '{{ firewalld_new_services }}'
- when: firewalld_new_services is defined
- notify: Reload firewall config
-
- - name: Manage the custom services firewalld rules.
- firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
- with_items: '{{ firewalld_new_services }}'
- when:
- - firewalld_new_services is defined
- - item.name is defined
- notify: Reload firewall config
-
- # Last one to not take ourselves out
- - name: Set the firewalld default zone.
- command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
-
- tags: [ 'iptables', 'firewall', 'firewalld' ]
diff --git a/library/centos/roles/firewalld/tasks/main.yml b/library/centos/roles/firewalld/tasks/main.yml
deleted file mode 100644
index 9bef238..0000000
--- a/library/centos/roles/firewalld/tasks/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- import_tasks: firewalld_rules.yml
- when: firewalld_enabled | bool
-
-- import_tasks: disable_firewalld.yml
- when: not firewalld_enabled | bool
-
diff --git a/library/roles/iptables/defaults/main.yml b/library/roles/iptables/defaults/main.yml
deleted file mode 100644
index bc5707d..0000000
--- a/library/roles/iptables/defaults/main.yml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-iptables_deb_pkgs:
- - iptables
- - iptables-persistent
-
-#
-# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
-#
-#pg_allowed_hosts:
-# - 146.48.123.17/32
-# - 146.48.122.110/32
-#
-#munin_server:
-# - 146.48.122.15
-# - 146.48.87.88
-#http_port: 80
-#http_allowed_hosts:
-# - 1.2.3.4/24
-#https_port: 443
-#https_allowed_hosts:
-# - 0.0.0.0/0
-#
-# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
-# iptables:
-# tcp_rules: True
-# tcp:
-# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
-# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
-# - { port: '80' }
-# udp_rules: True
-# udp:
-# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
-
-# munin_server:
-# - 146.48.122.15
-# - 146.48.87.88
-
-#nagios_monitoring_server_ip: 146.48.123.23
-#mongodb:
-# start_server: 'yes'
-# tcp_port: 27017
-# allowed_hosts:
-# - 146.48.123.100/32
-
-#iptables_default_policy: REJECT
-iptables_default_policy: ACCEPT
-iptables_nat_enabled: False
-iptables_nat_specify_interfaces: True
-iptables_post_nat_enabled: False
-iptables_nat_interfaces:
- - '{{ ansible_default_ipv4.interface }}'
-iptables_input_default_policy: '{{ iptables_default_policy }}'
-iptables_forward_default_policy: '{{ iptables_default_policy }}'
-iptables_banned_default_policy: DROP
-iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-ganglia_enabled: False
-nagios_enabled: False
-iptables_open_all_to_isti_nets: False
-tomcat_cluster_enabled: False
-# Another variable needs to be defined before the db rules are set
-psql_firewall_enabled: True
-mysql_firewall_enabled: True
diff --git a/library/roles/iptables/handlers/main.yml b/library/roles/iptables/handlers/main.yml
deleted file mode 100644
index 1012da7..0000000
--- a/library/roles/iptables/handlers/main.yml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-- name: Start the iptables service
- service: name=iptables-persistent state=restarted enabled=yes
- notify: Restart fail2ban
-
-- name: Start the netfilter service
- service: name=netfilter-persistent state=restarted enabled=yes
- when: is_debian8
- notify: Restart fail2ban
-
-- name: Flush the iptables rules
- command: /etc/init.d/iptables-persistent flush
- ignore_errors: true
-
-- name: Start the iptables service on Ubuntu < 12.04
- command: /etc/init.d/iptables-persistent start
- ignore_errors: true
-
-- name: Stop the iptables service on Ubuntu < 12.04
- command: /etc/init.d/iptables-persistent stop
- ignore_errors: true
-
-- name: Restart fail2ban after an iptables restart
- service: name=fail2ban state=restarted enabled=yes
- when: has_fail2ban
diff --git a/library/roles/iptables/meta/main.yml b/library/roles/iptables/meta/main.yml
deleted file mode 100644
index 5237150..0000000
--- a/library/roles/iptables/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-dependencies:
- - { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
- - { role: '../../library/roles/postfix-relay', when: postfix_relay_server is defined and postfix_relay_server }
diff --git a/library/roles/iptables/tasks/main.yml b/library/roles/iptables/tasks/main.yml
deleted file mode 100644
index 5441f83..0000000
--- a/library/roles/iptables/tasks/main.yml
+++ /dev/null
@@ -1,127 +0,0 @@
----
-- block:
- - name: Install the needed iptables packages
- apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
-
- - name: Create the /etc/iptables directory when needed
- file: dest=/etc/iptables state=directory owner=root group=root mode=0755
- when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
-
- - name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
- with_items:
- - rules.v4
- when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
- notify: Start the iptables service on Ubuntu < 12.04
-
- - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
- with_items:
- - rules.v4
- - rules.v6
- when: is_precise
- register: install_iptables_rules_precise
-
- - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
- with_items:
- - rules.v4
- - rules.v6
- when: is_trusty
- register: install_iptables_rules_trusty
-
- - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
- with_items:
- - rules.v4
- - rules.v6
- when: is_debian7
- register: install_iptables_rules_deb7
-
- - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
- with_items:
- - rules.v4
- - rules.v6
- when: is_debian8
- register: install_netfilter_rules
-
- - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
- template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
- with_items:
- - rules.v4
- - rules.v6
- when:
- - ansible_distribution == 'Ubuntu'
- - ansible_distribution_major_version >= '16'
- register: install_netfilter_rules
-
- - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks
- service: name=iptables-persistent state=restarted enabled=yes
- register: restart_related_p
- notify: Restart fail2ban after an iptables restart
- when: install_iptables_rules_precise is changed
-
- - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
- service: name=iptables-persistent state=restarted enabled=yes
- register: restart_related_t
- notify: Restart fail2ban after an iptables restart
- when: install_iptables_rules_trusty is changed
-
- - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
- service: name=iptables-persistent state=restarted enabled=yes
- register: restart_related_d7
- notify: Restart fail2ban after an iptables restart
- when: install_iptables_rules_deb7 is changed
-
- - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
- service: name=netfilter-persistent state=restarted enabled=yes
- register: restart_related_x
- notify: Restart fail2ban after an iptables restart
- when: install_netfilter_rules is changed
-
- - name: Check if the fail2ban service is present
- stat: path=/usr/bin/fail2ban-server
- register: fail2ban_installed
-
- - name: Restart fail2ban after an iptables restart on Ubuntu Precise
- service: name=fail2ban state=restarted enabled=yes
- when:
- - fail2ban_installed.stat.exists
- - restart_related_p is changed
-
- - name: Restart fail2ban after an iptables restart on Ubunt Trusty
- service: name=fail2ban state=restarted enabled=yes
- when:
- - fail2ban_installed.stat.exists
- - restart_related_t is changed
-
- - name: Restart fail2ban after an iptables restart on debian 7
- service: name=fail2ban state=restarted enabled=yes
- when:
- - fail2ban_installed.stat.exists
- - restart_related_d7 is changed
-
- - name: Restart fail2ban after an iptables restart on Ubuntu Xenial
- service: name=fail2ban state=restarted enabled=yes
- when:
- - fail2ban_installed.stat.exists
- - restart_related_x is changed
-
- - name: Check if the docker service is present
- stat: path=/usr/bin/dockerd
- register: dockerd_installed
-
- - name: Restart docker after an iptables restart on Ubuntu Trusty
- service: name=docker state=restarted enabled=yes
- when:
- - dockerd_installed.stat.exists
- - restart_related_t is changed
-
- - name: Restart docker after an iptables restart on Ubuntu Xenial
- service: name=docker state=restarted enabled=yes
- when:
- - dockerd_installed.stat.exists
- - restart_related_x is changed
-
- tags: [ 'iptables', 'iptables_rules' ]
diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
deleted file mode 100644
index 8520f08..0000000
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ /dev/null
@@ -1,398 +0,0 @@
-#
-# {{ ansible_managed }} don't manually modify this file
-#
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-{% if iptables_banlist is defined %}
-# We manage the banned IP/networks list before anything else
-{% for obj in iptables_banlist %}
-{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
--A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% elif obj.proto is defined and obj.destport is defined %}
--A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% elif obj.proto is defined %}
--A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% else %}
--A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% endif %}
-{% endfor %}
-{% endif %}
-# Return traffic and localhost
--A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
-#
-{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
-{% if iptables_ssh_allowed_hosts is defined %}
-# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
-{% for ip in iptables_ssh_allowed_hosts %}
--A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% else %}
-# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-{% endif %}
-{% if http_port is not defined %}
-{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-{% endif %}
-{% endif %}
-{% if http_port is defined %}
-# http
-{% if http_allowed_hosts is defined %}
-{% for ip in http_allowed_hosts %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-
-{% if https_port is defined %}
-# https
-{% if https_allowed_hosts is defined %}
-{% for ip in https_allowed_hosts %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-{% if https_managed_hosts is defined %}
-{% for rule in https_managed_hosts %}
--A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
-{% else %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% endif %}
-{% if psql_firewall_enabled %}
-{% if psql_db_port is defined %}
-{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
-{% if psql_global_firewall is defined %}
-{% for cidr in psql_global_firewall %}
--A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-{% endfor %}
--A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
-{% else %}
-{% if psql_db_data is defined %}
-# postgresql clients
-{% for db in psql_db_data %}
-{% for ip in db.allowed_hosts %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% endif %}
--A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
--A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
-{% endif %}
-{% endif %}
-{% endif %}
-{% if mysql_firewall_enabled %}
-{% if mysql_db_port is defined %}
-{% if mysql_listen_on_ext_int %}
-# mysql clients
-{% for db in mysql_db_data %}
-{% for ip in db.allowed_hosts %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
--A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
--A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
-{% endif %}
-{% endif %}
-{% if openldap_slapd_tcp_port is defined %}
-{% if openldap_allowed_clients is defined %}
-# LDAP
-{% for addr in openldap_allowed_clients %}
-{% if not openldap_slapd_ssl_only %}
--A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
-{% endif %}
--A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-{% if not openldap_slapd_ssl_only %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
-{% endif %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% if mongodb_allowed_hosts is defined %}
-# mongodb clients
-{% for ip in mongodb_allowed_hosts %}
-{% if mongodb_tcp_port is defined %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
-{% else %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
-{% endif %}
-{% endfor %}
-{% if mongodb_tcp_port is defined %}
--A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
-{% else %}
--A INPUT -p tcp -m tcp --dport 27017 -j DROP
-{% endif %}
-{% endif %}
-
-{% if docker_swarm is defined and docker_swarm %}
-{% for cidr in docker_swarm_allowed_hosts %}
--A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
--A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
--A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
--A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
-{% endfor %}
--A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
--A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
--A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
--A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-
-{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
-# Someone still uses ftp
-{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
-{% for ip in vsftpd_iptables_allowed_hosts %}
--A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
--A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m helper --helper ftp -j ACCEPT
-{% endif %}
-{% endif %}
-#
-# TODO: add the rules that block traffic from now on
-#
-{% if nagios_enabled is defined %}
-{% if nagios_enabled %}
-{% if nagios_monitoring_server_ip is defined %}
-# Nagios NRPE
-{% for ip in nagios_monitoring_server_ip %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
-# Check ntp from the nagios server
--A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
--A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-{% endif %}
-{% if zabbix_agent_install is defined and zabbix_agent_install %}
-{% if zabbix_agent_passive_checks_status == "enabled" %}
-# Zabbix servers that can send passive checks
-{% for ip in zabbix_monitoring_servers %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-
-{% if configure_munin is defined %}
-{% if configure_munin %}
-{% if munin_server %}
-# Munin
-{% for ip in munin_server %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-{% endif %}
-{% if tomcat_cluster_enabled %}
-# tomcat cluster
--A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
-{% if tomcat_cluster_multicast_net is defined %}
--A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
-# orientdb hazelcast multicast rules
--A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
--A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
-{% endif %}
-# Ganglia
-{% if ganglia_enabled is defined and ganglia_enabled %}
-{% if ganglia_gmond_cluster_port is defined %}
-{% if ganglia_unicast_mode is defined %}
-{% if ganglia_unicast_mode %}
-{% for net in ganglia_unicast_networks %}
--A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-{% endfor %}
-{% else %}
-{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
--A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
-{% else %}
--A INPUT -m pkttype --pkt-type multicast -j ACCEPT
--A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% endif %}
--A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
--A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-# Postfix
-{% if postfix_relay_server is defined %}
-{% if postfix_relay_server %}
-#
-# These are only needed on the machines that act as relay servers
-#
-{% for cidr in postfix_relay_server_permitted_networks %}
--A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
-{% endfor %}
--A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-{% else %}
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
-{% endif %}
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
-{% endif %}
-{% endif %}
-{% if postfix_relay_server is defined and not postfix_relay_server %}
-{% if postfix_relay_client is defined%}
-{% if postfix_relay_client %}
-#
-# When we are not a relay server but we want send email using our relay
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
--A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
-{% endif %}
-{% endif %}
-{% endif %}
-{% if iptables is defined %}
-{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
-# TCP rules
-{% for tcp_rule in iptables.tcp %}
-{% if tcp_rule.allowed_hosts is defined %}
-{% for ip in tcp_rule.allowed_hosts %}
-{% if ip is string %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip %}
--A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.udp_rules is defined and iptables.udp_rules %}
-# UDP rules
-{% for udp_rule in iptables.udp %}
-{% if udp_rule.allowed_hosts is defined %}
-{% for ip in udp_rule.allowed_hosts %}
-{% if ip is string %}
--A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip %}
--A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
--A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.any_rules is defined and iptables.any_rules %}
-# ANY rules
-{% for any_rule in iptables.any %}
-{% for ip in any_rule.allowed_hosts %}
--A INPUT -s {{ ip }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
-# ANY rules
-{% for any_rule in iptables.any %}
-{% for rule in any_rule.allowed_hosts %}
--A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endfor %}
-{% endif %}
-# End of the custom rules
-{% endif %}
-# Prometheus exporters
-{% if prometheus_enabled is defined and prometheus_enabled %}
-{% if prometheus_servers_ip is defined %}
-{% for ip in prometheus_servers_ip %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
-{% endif %}
-{% endif %}
-{% if keepalived_enabled is defined and keepalived_enabled %}
-# Keepalived rules. Protocol vrrp, 112
-{% if not keepalived_use_unicast %}
--A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
--A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-{% else %}
-{% endif %}
--A INPUT -p vrrp -j ACCEPT
--A OUTPUT -p vrrp -j ACCEPT
-{% endif %}
-#
-# INPUT POLICY
-{% if iptables_input_default_policy == 'REJECT' %}
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A INPUT -j {{ iptables_input_default_policy }}
-{% endif %}
-#
-# FORWARD rules and POLICY
-{% if iptables_post_nat_enabled %}
--A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-{% for rule in iptables_nat_rules %}
--A FORWARD {{ rule.options }} -j ACCEPT
-{% endfor %}
-{% endif %}
-{% if iptables_forward_default_policy == 'REJECT' %}
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A FORWARD -j {{ iptables_forward_default_policy }}
-{% endif %}
-COMMIT
-{% if iptables_nat_enabled %}
-# This should be obsoleted
-# NAT rules
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-{% if iptables_nat_specify_interfaces %}
-{% for int in iptables_nat_interfaces %}
--A POSTROUTING -o {{ int }} -j MASQUERADE
-{% endfor %}
-{% else %}
--A POSTROUTING -j MASQUERADE
-{% endif %}
-COMMIT
-{% endif %}
-
-{% if iptables_post_nat_enabled %}
-# NAT rules
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-{% for rule in iptables_nat_rules %}
--A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
-{% endfor %}
-COMMIT
-{% endif %}
diff --git a/library/roles/iptables/templates/iptables-rules.v6.j2 b/library/roles/iptables/templates/iptables-rules.v6.j2
deleted file mode 100644
index f9cab76..0000000
--- a/library/roles/iptables/templates/iptables-rules.v6.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# {{ ansible_managed }} don't manually modify this file
-#
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-{% if iptables_default_policy == 'REJECT' %}
--A INPUT -j REJECT --reject-with icmp6-addr-unreachable
--A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
-{% else %}
--A INPUT -j {{ iptables_default_policy }}
--A FORWARD -j {{ iptables_default_policy }}
-{% endif %}
-COMMIT
diff --git a/library/roles/ubuntu-deb-general/meta/main.yml b/library/roles/ubuntu-deb-general/meta/main.yml
index 4a05223..90c559e 100644
--- a/library/roles/ubuntu-deb-general/meta/main.yml
+++ b/library/roles/ubuntu-deb-general/meta/main.yml
@@ -2,7 +2,10 @@
dependencies:
- role: '../../library/roles/deb-apt-setup'
- { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
- - role: 'basic-system-setup'
+ - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git
+ version: master
+ name: basic-system-setup
+ state: latest
- role: '../../library/roles/motd'
- role: '../../library/roles/ntp'
- role: '../../library/roles/linux-kernel-sysctl'