jotbe/ansible-selfhosted-services
1
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

Adds geerlingguy.firewall

Browse source
This commit is contained in:
Jan Beilicke 2020-03-31 00:36:13 +02:00
parent 20ee4d9d16
commit a271daf122
4 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -115,6 +115,8 @@ By default, a `vagrant` user will be provisioned (if not already available) and
- Configure each desired service by following the README of its role. - Configure each desired service by following the README of its role.
- Run the playbook `site.yml` or one of the service playbooks. - Run the playbook `site.yml` or one of the service playbooks.
**IMPORTANT**: Pay attention to the [Firewall](#firewall) section below.
## How does it work? ## How does it work?
The provisioning and configuration management tool Ansible is used to access a Linux server (VM, bare-metal) using SSH and provisions a set of roles. Each role consists of Docker Compose services (each containing one or more Docker containers). The provisioning and configuration management tool Ansible is used to access a Linux server (VM, bare-metal) using SSH and provisions a set of roles. Each role consists of Docker Compose services (each containing one or more Docker containers).
@ -131,6 +133,10 @@ Persistent volumes that need to be backed up will be labeled in a way that rcb w
Restic assumes untrusted environments, hence backups are always encrypted using modern algorithms. [See their website for further details.](https://restic.net) Restic assumes untrusted environments, hence backups are always encrypted using modern algorithms. [See their website for further details.](https://restic.net)
## Firewall <a id="firewall"></a>
The `common` role comes with a [firewall](https://galaxy.ansible.com/geerlingguy/firewall) based on iptables. If you don't allow SSH (usually port 22) then you might lock yourself out. Have a look at `group_vars/vagrant.yml` for an example config. Add the corresponding [firewall parameters](https://galaxy.ansible.com/geerlingguy/firewall) to your `host_vars` and adapt them according to your needs.
## Alternatives ## Alternatives
- [HomelabOS](https://gitlab.com/NickBusey/HomelabOS) - [HomelabOS](https://gitlab.com/NickBusey/HomelabOS)

13
group_vars/docker.yml
View file

@ -7,4 +7,15 @@ docker_package: "docker-{{ docker_edition }}"
docker_package_state: present docker_package_state: present
docker_compose_version: "1.25.0" docker_compose_version: "1.25.0"
docker_users: docker_users:
- deploy - deploy
firewall_disable_ufw: true
firewall_flush_rules_and_chains: true
firewall_allowed_tcp_ports:
- "22"
- "80"
- "443"
#firewall_allowed_udp_ports:
# # Jitsi
# - "10000"
firewall_additional_rules:
- "iptables -P INPUT DROP"

9
group_vars/vagrant.yml
View file

@ -1,4 +1,13 @@
ansible_user: vagrant ansible_user: vagrant
firewall_disable_ufw: true
firewall_flush_rules_and_chains: true
firewall_allowed_tcp_ports:
- "22"
- "80"
- "443"
firewall_allowed_udp_ports:
# Jitsi
- "10000"
users: users:
- deploy - deploy
sudoers: [] sudoers: []

1
requirements.yml
View file

@ -1,3 +1,4 @@
- geerlingguy.firewall
- geerlingguy.pip - geerlingguy.pip
- geerlingguy.docker - geerlingguy.docker