refactor(ansible): prefer iptables module

2025-04-26 17:22:50 +02:00 · 2025-04-26 17:22:50 +02:00 · 4803ee9181
commit 4803ee9181
parent 08c64f3f42
2 changed files with 9 additions and 27 deletions
--- a/ansible/inventory.ini
+++ b/ansible/inventory.ini
@ -1,2 +1,2 @@
 [ovh]
-ovh1 ansible_host=5.39.72.167 ansible_port=7511 ansible_user=ubuntu
+ovh1 ansible_host=5.39.72.167 ansible_port=7511 ansible_user=ubuntu firewall_ports=80,443,6443,7511
--- a/ansible/system_basics.yaml
+++ b/ansible/system_basics.yaml
@ -41,32 +41,14 @@
    command: sshd -t
    changed_when: false

-  - name: Create iptables rules file
-    copy:
-      dest: /etc/iptables.rules
-      content: |
-        *filter
-        :INPUT DROP [0:0]
-        :FORWARD DROP [0:0]
-        :OUTPUT ACCEPT [0:0]
-        -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-        -A INPUT -p tcp --dport 80 -j ACCEPT
-        -A INPUT -p tcp --dport 443 -j ACCEPT
-        -A INPUT -p tcp --dport 7511 -j ACCEPT
-        -A INPUT -i lo -j ACCEPT
-        COMMIT
-
-  - name: Apply iptables rules
-    shell: iptables-restore < /etc/iptables.rules
-    changed_when: false
-
-  - name: Ensure iptables rules are loaded on boot (Debian/Ubuntu)
-    copy:
-      dest: /etc/network/if-pre-up.d/iptablesload
-      content: |
-        #!/bin/sh
-        iptables-restore < /etc/iptables.rules
-      mode: '0755'
+  - name: Open firewall ports
+    iptables:
+      chain: INPUT
+      protocol: tcp
+      destination_port: "{{ item }}"
+      jump: ACCEPT
+      state: present
+    loop: "{{ firewall_ports }}"

  - name: Ensure fail2ban is started and enabled
    service: