refactor(security): reworked firewall configuration and added support for DNS, HTTP and ICMP rules; added autoconf for resolv.conf to match FW rules

2024-01-06 00:00:00 +00:00 · 2024-01-06 00:00:00 +00:00 · da45c7c409
commit da45c7c409
parent 3a7440f570
22 changed files with 169 additions and 48 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml
@ -14,6 +14,7 @@ common:
  install_fonts: false
  sysctl: {}
  user_account: "{{ custom_base_user_account | default('root') }}"
+  configure_resolv_conf: false

 custom_common: {}
 recursive_combine: true
--- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml
@ -4,6 +4,37 @@
    common: "{{ common | combine(custom_common, recursive=recursive_combine) }}"
  changed_when: false

+- name: '[system] setup DNS server'
+  block:
+    - name: disable resolv.conf updates from dhclient
+      ansible.builtin.copy:
+        dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+        content: |
+          #!/bin/sh
+          make_resolv_conf(){
+            :
+          }
+        owner: root
+        group: root
+        mode: '0755'
+    - name: update resolv.conf
+      ansible.builtin.template:
+        src: ../templates/system/resolv.conf.j2
+        dest: /etc/resolv.conf
+        mode: '0644'
+        owner: root
+        group: root
+  become: true
+  when: common.configure_resolv_conf is truthy
+
+- name: '[system] re-allow DHCP client to setup DNS resolvers'
+  become: true
+  ansible.builtin.file:
+    path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+    state: absent
+  failed_when: false
+  when : common.configure_resolv_conf is falsy
+
 - name: '[apt] verify components of default sources'
  become: true
  block:
--- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2
@ -0,0 +1,10 @@
+{% if dns[dns.type].dns4 is defined and dns[dns.type].dns4 | length > 0 -%}
+{% for server in dns[dns.type].dns4 -%}
+nameserver {{ server }}
+{% endfor %}
+{% endif %}
+{% if ip_dualstack | default(false) and dns[dns.type].dns6 is defined and dns[dns.type].dns6 | length > 0 -%}
+{% for server in dns[dns.type].dns6 -%}
+nameserver {{ server }}
+{% endfor %}
+{% endif %}