refactor(security): reworked firewall configuration and added support for DNS, HTTP and ICMP rules; added autoconf for resolv.conf to match FW rules

2024-01-06 00:00:00 +00:00 · 2024-01-06 00:00:00 +00:00 · da45c7c409
commit da45c7c409
parent 3a7440f570
22 changed files with 169 additions and 48 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
@ -45,7 +45,7 @@
        dest: /etc/nftables.conf
        mode: '0700'

-    - name: common firewall rules
+    - name: base tables definition
      ansible.builtin.template:
        src: "../templates/system/nftables/{{ item }}.table.j2"
        dest: "/etc/nftables.d/{{ item }}.table"
@ -56,3 +56,10 @@
        - 01-nat
        - 02-mangle
        - 03-filter
+
+    - name: common firewall rules
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "/etc/nftables.d/{{ (item.split('/') | last)[:-3] }}"
+        mode: '0600'
+      loop: "{{ q('fileglob', '../templates/system/nftables.d/*.j2') }}"