Verified Commit a5606345 authored by Hugo's avatar Hugo
Browse files

add simple firewall setup

parent bcc078f0
......@@ -16,6 +16,9 @@ tasks:
desc: Apply the configuration.
cmds:
- ansible-playbook playbook.yaml
destroy:
cmds:
- ansible-playbook dispose.yaml
minio:
desc: Install minio & deploy a tenant.
cmds:
......
......@@ -11,9 +11,14 @@
handlers:
- name: reboot
reboot: {}
- name: restart sshd
service:
name: sshd
state: restarted
tasks:
- import_tasks: "tasks/wait_nodes.yaml"
- import_tasks: "tasks/upgrade.yaml"
- import_tasks: "tasks/firewall.yaml"
- import_tasks: "tasks/setup_worker.yaml"
when: '"worker" in group_names'
......
- name: install ufw
ansible.builtin.apt:
name: ufw
state: present
- name: disable SSH password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
notify:
- restart sshd
- name: allow ssh
community.general.ufw:
rule: limit
port: ssh
proto: tcp
comment: ssh
- name: allow internal traffic
community.general.ufw:
rule: allow
from_ip: "{{cluster.network.cloudCidr}}"
comment: internal
vars:
tf_path: "terraform/terraform.tfstate.d/{{ lookup('env', 'ENV') }}/terraform.tfstate"
tf: "{{ lookup('file', tf_path) | from_json }}"
cluster: "{{ tf.outputs.cluster.value }}"
- name: deny all traffic
community.general.ufw:
state: enabled
policy: deny
......@@ -22,7 +22,11 @@ spec:
api:
externalAddress: {{cluster.api.publicIp}}
sans:
- {{cluster.api.privateIp}}
- {{cluster.api.publicIp}}
storage:
etcd:
peerAddress: {{cluster.api.privateIp}}
network:
provider: calico
calico:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment