From 37f2b7b1306f7a9cf9e90d613dee3a9fb7841e29 Mon Sep 17 00:00:00 2001 From: Paolo Asperti Date: Thu, 26 Oct 2023 23:13:17 +0200 Subject: [PATCH] playbook ansible WIP --- roles/pxeserver/tasks/firewall.yml | 35 +++++++++++++++++++ roles/pxeserver/tasks/iso.yml | 25 +++++++++++++ roles/pxeserver/tasks/main.yml | 2 ++ roles/pxeserver/templates/iso/mount-all.sh | 9 +++++ .../templates/iso/mount-isos.service | 8 +++++ roles/pxeserver/templates/rules.v4 | 30 ++++++++++++++++ 6 files changed, 109 insertions(+) create mode 100644 roles/pxeserver/tasks/firewall.yml create mode 100644 roles/pxeserver/tasks/iso.yml create mode 100755 roles/pxeserver/templates/iso/mount-all.sh create mode 100644 roles/pxeserver/templates/iso/mount-isos.service create mode 100644 roles/pxeserver/templates/rules.v4 diff --git a/roles/pxeserver/tasks/firewall.yml b/roles/pxeserver/tasks/firewall.yml new file mode 100644 index 0000000..180dbc8 --- /dev/null +++ b/roles/pxeserver/tasks/firewall.yml @@ -0,0 +1,35 @@ +--- + +- name: FIREWALL rules + template: + src: rules.v4 + dest: /etc/iptables/rules.v4 + owner: root + group: root + mode: "0644" + become: true + # notify: nfs_reload_exports + +- name: FIREWALL rules restore + shell: iptables-restore /etc/iptables/rules.v4 + +- name: FIREWALL enable IPv4 forward + sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_file: /etc/sysctl.d/ipv4_forward.conf + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + +- name: FIREWALL disable IPv6 + sysctl: + name: net.ipv6.conf.all.disable_ipv6 + value: "1" + sysctl_file: /etc/sysctl.d/disable_ipv6.conf + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + \ No newline at end of file diff --git a/roles/pxeserver/tasks/iso.yml b/roles/pxeserver/tasks/iso.yml new file mode 100644 index 0000000..dae2a40 --- /dev/null +++ b/roles/pxeserver/tasks/iso.yml @@ -0,0 +1,25 @@ +--- + +- name: ISO script + template: + src: iso/mount-all.sh + dest: /srv/pxe/mount/mount-all.sh + owner: root + group: root + mode: "0755" + become: true + +- name: ISO service + template: + src: iso/mount-isos.service + dest: /etc/systemd/system/mount-isos.service + owner: root + group: root + mode: "0644" + become: true + +- name: ISO Enable service + service: + name: mount-isos + enabled: yes + become: true diff --git a/roles/pxeserver/tasks/main.yml b/roles/pxeserver/tasks/main.yml index d5a0290..696594e 100644 --- a/roles/pxeserver/tasks/main.yml +++ b/roles/pxeserver/tasks/main.yml @@ -4,3 +4,5 @@ - include: nginx.yml - include: dns.yml - include: nfs.yml +- include: firewall.yml +- include: iso.yml diff --git a/roles/pxeserver/templates/iso/mount-all.sh b/roles/pxeserver/templates/iso/mount-all.sh new file mode 100755 index 0000000..f158def --- /dev/null +++ b/roles/pxeserver/templates/iso/mount-all.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +montami() { + B=$(basename $1) + mount "/srv/pxe/iso/$B" "/srv/pxe/mount/$B" + echo "mounted '/srv/pxe/iso/$B' on '/srv/pxe/mount/$B'" +} +export -f montami +find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "$0"' {} \; diff --git a/roles/pxeserver/templates/iso/mount-isos.service b/roles/pxeserver/templates/iso/mount-isos.service new file mode 100644 index 0000000..dc57e2c --- /dev/null +++ b/roles/pxeserver/templates/iso/mount-isos.service @@ -0,0 +1,8 @@ +[Unit] +Description=Mount ISOs + +[Service] +ExecStart=/srv/pxe/mount/mount-all.sh + +[Install] +WantedBy=multi-user.target diff --git a/roles/pxeserver/templates/rules.v4 b/roles/pxeserver/templates/rules.v4 new file mode 100644 index 0000000..b34e479 --- /dev/null +++ b/roles/pxeserver/templates/rules.v4 @@ -0,0 +1,30 @@ +*filter +:INPUT DROP [2:72] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [8441:830478] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -m state --state NEW -j ACCEPT +-A INPUT ! -i {{ lan_iface }} -m state --state NEW -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT +-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4047 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4047 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4048 -j ACCEPT +-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4048 -j ACCEPT +-A FORWARD -i {{ lan_iface }} -o {{ lan_iface }} -j REJECT --reject-with icmp-port-unreachable +COMMIT +*nat +:PREROUTING ACCEPT [72:10770] +:INPUT ACCEPT [68:10030] +:OUTPUT ACCEPT [39:2999] +:POSTROUTING ACCEPT [1:84] +-A POSTROUTING -o {{ wan_iface }} -j MASQUERADE +COMMIT