jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
infra/roles/base/tasks/firewall.yml
jack 5befd48a50
Some checks are pending
CI/CD / deploy (push) Blocked by required conditions
Details
CI/CD / syntax-check (push) Successful in 41s
Details
fix: allow Docker bridge networks through UFW for runner + add unattended-upgrades 
firewall.yml:
- Allow 172.16.0.0/12 and 10.0.0.0/8 on ports 80/443 so act_runner
  job containers can reach git.csrx.ru (Forgejo via Traefik)
- Without this, Cloudflare-only rules broke CI/CD pipeline

unattended_upgrades.yml (new):
- Install unattended-upgrades + apt-listchanges
- Configure auto-apply of security patches only (not all updates)
- Auto-clean every 7 days, remove unused deps
- No auto-reboot (manual control over kernel reboots)

base/tasks/main.yml:
- Add unattended_upgrades.yml to task sequence

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:11:39 +07:00

142 lines
3 KiB
YAML
Raw Blame History

---
- name: Allow SSH
community.general.ufw:
rule: allow
port: "{{ sshd_port }}"
proto: tcp
comment: "SSH"
- name: Allow Forgejo SSH
community.general.ufw:
rule: allow
port: "2222"
proto: tcp
comment: "Forgejo SSH"
- name: Allow HTTP from Docker bridge networks (runner + internal services)
community.general.ufw:
rule: allow
port: "80"
proto: tcp
src: "{{ item }}"
comment: "HTTP from Docker networks"
loop:
- "172.16.0.0/12"
- "10.0.0.0/8"
- name: Allow HTTPS from Docker bridge networks (runner + internal services)
community.general.ufw:
rule: allow
port: "443"
proto: tcp
src: "{{ item }}"
comment: "HTTPS from Docker networks"
loop:
- "172.16.0.0/12"
- "10.0.0.0/8"
- name: Allow HTTP from Cloudflare IPs only
community.general.ufw:
rule: allow
port: "80"
proto: tcp
src: "{{ item }}"
comment: "HTTP via Cloudflare"
loop:
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- name: Allow HTTPS from Cloudflare IPs only
community.general.ufw:
rule: allow
port: "443"
proto: tcp
src: "{{ item }}"
comment: "HTTPS via Cloudflare"
loop:
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- name: Allow Syncthing sync TCP
community.general.ufw:
rule: allow
port: "22000"
proto: tcp
comment: "Syncthing sync"
- name: Allow Syncthing sync UDP
community.general.ufw:
rule: allow
port: "22000"
proto: udp
comment: "Syncthing sync"
- name: Allow Syncthing discovery UDP
community.general.ufw:
rule: allow
port: "21027"
proto: udp
comment: "Syncthing discovery"
- name: Set UFW default deny incoming
community.general.ufw:
direction: incoming
policy: deny
- name: Set UFW default allow outgoing
community.general.ufw:
direction: outgoing
policy: allow
- name: Enable UFW
community.general.ufw:
state: enabled
- name: Ensure fail2ban is configured for SSH
ansible.builtin.copy:
dest: /etc/fail2ban/jail.local
content: |
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = {{ sshd_port }}
logpath = %(sshd_log)s
backend = %(sshd_backend)s
mode: "0644"
notify: Restart fail2ban
- name: Ensure fail2ban is started and enabled
ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
Reference in a new issue View git blame Copy permalink