mg/homeserver
1
0
Fork 0
Code Issues 1 Pull requests 3 Activity Actions

ufw: Regeln verschärft (#11)

Browse source 
Docker: allow all weg, dafür einzelne dienste freigeschaltet

smb aus lan

jenkins-webgui aus lan

pihole-webgui aus lan

acng aus LAN

ssh nur aus LAN

Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com>
Reviewed-on: mg/ansible#11
This commit is contained in:
Michael Grote 2020-12-23 17:34:11 +01:00
parent 10438d1246
commit 209f80efa3
8 changed files with 33 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
group_vars/acng.yml
View file

@ -4,9 +4,11 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
- rule: allow - rule: allow
to_port: 9999 to_port: 9999
from_ip: 192.168.2.0/24
comment: 'acng' comment: 'acng'
### mgrote.acng ### mgrote.acng
acng_server_port: 9999 acng_server_port: 9999

1
group_vars/all.yml
View file

@ -38,6 +38,7 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
### ryandaniels.create_users ### ryandaniels.create_users
users: users:

2
group_vars/dns.yml
View file

@ -4,9 +4,11 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
- rule: allow - rule: allow
to_port: 80 to_port: 80
from_ip: 192.168.2.0/24
comment: 'pihole-webgui' comment: 'pihole-webgui'
- rule: allow - rule: allow
to_port: 53 to_port: 53

30
group_vars/docker.yml
View file

@ -1,15 +1,28 @@
--- ---
### oefenweb.ufw ### oefenweb.ufw
ufw_rules: ufw_rules:
# - rule: allow
# to_port: 22
# protocol: tcp
# comment: 'ssh'
# - rule: allow
# to_port: 3000
# comment: 'rssbridge'
- rule: allow - rule: allow
comment: 'alles erlauben' to_port: 22
protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh'
- rule: allow
to_port: 80
comment: 'docker-traefik'
- rule: allow
to_port: 443
comment: 'docker-traefik'
- rule: allow
to_port: 8080
comment: 'docker-traefik'
- rule: allow
to_port: 333
comment: 'docker-homer'
- rule: allow
to_port: 3001
comment: 'docker-rssbridge'
# - rule: allow
# comment: 'alles erlauben'
### geerlingguy.docker ### geerlingguy.docker
docker_users: docker_users:
- mg - mg
@ -46,4 +59,3 @@
/var/lib/docker/volumes/***musik*** /var/lib/docker/volumes/***musik***
# https://github.com/restic/restic/issues/1005 # https://github.com/restic/restic/issues/1005
# https://forum.restic.net/t/exclude-syntax-confusion/1531/12 # https://forum.restic.net/t/exclude-syntax-confusion/1531/12

1
group_vars/dokuwiki.yml
View file

@ -6,6 +6,7 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
- rule: allow - rule: allow
to_port: 80 to_port: 80

2
group_vars/jenkins.yml
View file

@ -21,9 +21,11 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
- rule: allow - rule: allow
to_port: 8080 to_port: 8080
from_ip: 192.168.2.0/24
comment: 'jenkins' comment: 'jenkins'
### mgrote.restic ### mgrote.restic
restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins

3
group_vars/storage.yml
View file

@ -28,12 +28,15 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
- rule: allow - rule: allow
to_port: 445 to_port: 445
from_ip: 192.168.2.0/24
comment: 'smb' comment: 'smb'
- rule: allow - rule: allow
to_port: 139 to_port: 139
from_ip: 192.168.2.0/24
comment: 'smb' comment: 'smb'
- rule: allow - rule: allow
to_port: 9000:9010 to_port: 9000:9010

1
group_vars/wireguard.yml
View file

@ -4,6 +4,7 @@
- rule: allow - rule: allow
to_port: 22 to_port: 22
protocol: tcp protocol: tcp
from_ip: 192.168.2.0/24
comment: 'ssh' comment: 'ssh'
interface: ens18 interface: ens18
- rule: allow - rule: allow