mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 23:56:16 +00:00
Compare commits
No commits in common. "81efa1b71778c5ca67b694d5b64fba3245437e4a" and "644b608831d240b76191376fc518e04611b5edbf" have entirely different histories.
81efa1b717
...
644b608831
3 changed files with 1 additions and 60 deletions
|
|
@ -33,7 +33,4 @@ common_ufw_allowed_ports:
|
||||||
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
|
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
|
||||||
- { port: 6881, proto: tcp, comment: "BitTorrent" }
|
- { port: 6881, proto: tcp, comment: "BitTorrent" }
|
||||||
- { port: 6881, proto: udp, comment: "BitTorrent" }
|
- { port: 6881, proto: udp, comment: "BitTorrent" }
|
||||||
# SMB is reachable over Tailscale via the tailscale0 allow-all rule; this
|
- { port: 445, proto: tcp, comment: "Samba" }
|
||||||
# entry additionally allows the local London LAN. Deliberately NOT open to
|
|
||||||
# the public internet (see PESO-145).
|
|
||||||
- { port: 445, proto: tcp, from_ip: "192.168.1.0/24", comment: "Samba (LAN only)" }
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,3 @@
|
||||||
- name: Reload ufw
|
- name: Reload ufw
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: Reload systemd daemon
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
|
|
|
||||||
|
|
@ -99,7 +99,6 @@
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "{{ item.port | string }}"
|
port: "{{ item.port | string }}"
|
||||||
proto: "{{ item.proto | default('tcp') }}"
|
proto: "{{ item.proto | default('tcp') }}"
|
||||||
from_ip: "{{ item.from_ip | default(omit) }}"
|
|
||||||
comment: "{{ item.comment | default(omit) }}"
|
comment: "{{ item.comment | default(omit) }}"
|
||||||
loop: "{{ common_ufw_allowed_ports }}"
|
loop: "{{ common_ufw_allowed_ports }}"
|
||||||
when:
|
when:
|
||||||
|
|
@ -107,58 +106,7 @@
|
||||||
- common_ufw_allowed_ports | length > 0
|
- common_ufw_allowed_ports | length > 0
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
# When a port is restricted to a source (from_ip), make sure the older
|
|
||||||
# unrestricted "allow from anywhere" variant of the same rule isn't left
|
|
||||||
# lingering on the host — UFW keeps it otherwise, which would defeat the
|
|
||||||
# source restriction. Deleting an absent rule is a no-op, so this is safe
|
|
||||||
# on hosts that never had the broad rule.
|
|
||||||
- name: Remove superseded world-open rules for source-restricted ports
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: "{{ item.port | string }}"
|
|
||||||
proto: "{{ item.proto | default('tcp') }}"
|
|
||||||
delete: true
|
|
||||||
loop: "{{ common_ufw_allowed_ports | selectattr('from_ip', 'defined') | list }}"
|
|
||||||
when: common_ufw_enabled | bool
|
|
||||||
notify: Reload ufw
|
|
||||||
|
|
||||||
- name: Enable UFW
|
- name: Enable UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
when: common_ufw_enabled | bool
|
when: common_ufw_enabled | bool
|
||||||
|
|
||||||
# --- Cleanup: orphaned cloudflared (PESO-138) ---
|
|
||||||
# Cloudflare Tunnels were retired in favour of Caddy + Authelia (PESO-134, #56),
|
|
||||||
# which removed cloudflared from ansible config. copenhagen-a was unreachable at
|
|
||||||
# the time, so its cloudflared.service was never actually stopped and is still
|
|
||||||
# running. Remove it wherever the unit lingers. copenhagen-c legitimately runs a
|
|
||||||
# hand-configured cloudflared tunnel — never touch it.
|
|
||||||
- name: Detect lingering cloudflared unit
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: /etc/systemd/system/cloudflared.service
|
|
||||||
register: common_cloudflared_unit
|
|
||||||
when: inventory_hostname != 'copenhagen-c'
|
|
||||||
|
|
||||||
- name: Remove orphaned cloudflared
|
|
||||||
when:
|
|
||||||
- inventory_hostname != 'copenhagen-c'
|
|
||||||
- common_cloudflared_unit.stat.exists | default(false)
|
|
||||||
block:
|
|
||||||
- name: Stop and disable cloudflared
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
name: cloudflared
|
|
||||||
state: stopped
|
|
||||||
enabled: false
|
|
||||||
failed_when: false
|
|
||||||
|
|
||||||
- name: Remove cloudflared systemd unit
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: /etc/systemd/system/cloudflared.service
|
|
||||||
state: absent
|
|
||||||
notify: Reload systemd daemon
|
|
||||||
|
|
||||||
- name: Uninstall cloudflared package
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: cloudflared
|
|
||||||
state: absent
|
|
||||||
purge: true
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue