jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/base/tasks/firewall.yml
jack e935c897c6
Some checks failed
CI/CD / syntax-check (push) Successful in 58s
Details
CI/CD / deploy (push) Failing after 43s
Details
feat: Cloudflare integration — real IP forwarding + firewall lockdown 
Traefik traefik.yml.j2:
- Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges
  on both web and websecure entrypoints so rate limiting and
  CrowdSec see real visitor IPs, not Cloudflare proxy IPs

firewall.yml:
- Replace open HTTP/HTTPS rules with per-CIDR allow rules
  scoped to Cloudflare IP ranges only
- Direct access to ports 80/443 bypassing Cloudflare is now blocked

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:02:06 +07:00

120 lines
2.5 KiB
YAML
Raw Blame History

---
- name: Allow SSH
community.general.ufw:
rule: allow
port: "{{ sshd_port }}"
proto: tcp
comment: "SSH"
- name: Allow Forgejo SSH
community.general.ufw:
rule: allow
port: "2222"
proto: tcp
comment: "Forgejo SSH"
- name: Allow HTTP from Cloudflare IPs only
community.general.ufw:
rule: allow
port: "80"
proto: tcp
src: "{{ item }}"
comment: "HTTP via Cloudflare"
loop:
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- name: Allow HTTPS from Cloudflare IPs only
community.general.ufw:
rule: allow
port: "443"
proto: tcp
src: "{{ item }}"
comment: "HTTPS via Cloudflare"
loop:
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- name: Allow Syncthing sync TCP
community.general.ufw:
rule: allow
port: "22000"
proto: tcp
comment: "Syncthing sync"
- name: Allow Syncthing sync UDP
community.general.ufw:
rule: allow
port: "22000"
proto: udp
comment: "Syncthing sync"
- name: Allow Syncthing discovery UDP
community.general.ufw:
rule: allow
port: "21027"
proto: udp
comment: "Syncthing discovery"
- name: Set UFW default deny incoming
community.general.ufw:
direction: incoming
policy: deny
- name: Set UFW default allow outgoing
community.general.ufw:
direction: outgoing
policy: allow
- name: Enable UFW
community.general.ufw:
state: enabled
- name: Ensure fail2ban is configured for SSH
ansible.builtin.copy:
dest: /etc/fail2ban/jail.local
content: |
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = {{ sshd_port }}
logpath = %(sshd_log)s
backend = %(sshd_backend)s
mode: "0644"
notify: Restart fail2ban
- name: Ensure fail2ban is started and enabled
ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
Reference in a new issue View git blame Copy permalink