Automatically create cloud firewall rules for installs onto Vultr (#1400)

* Update main.yml * Change module names and add IPv6 firewall rules Uses guide at https://www.renemoser.net/blog/2018/03/19/vultr-firewalling-with-ansible/ written by Rene Moser. * change vultr to vr * add ip_version to firewall rules * add SSH access rules * Use variable for wireguard port * update module names for ansible 2.7 * Fix trailing whitespaces * Try to fix trailing whitespaces again
5 years ago · faa4b9a8da
parent 25513cf925
commit faa4b9a8da
1 changed files with 22 additions and 0 deletions
--- a/roles/cloud-vultr/tasks/main.yml
+++ b/roles/cloud-vultr/tasks/main.yml
@ -9,6 +9,27 @@
      ssh_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
    register: ssh_key

+  - name: Creating a firewall group
+    vultr_firewall_group:
+      name: "{{ algo_server_name }}"
+
+  - name: Creating firewall rules
+    vultr_firewall_rule:
+      group: "{{ algo_server_name }}"
+      protocol: "{{ item.protocol }}"
+      port: "{{ item.port }}"
+      ip_version: "{{ item.ip }}"
+      cidr: "{{ item.cidr }}"
+    with_items:
+    - { protocol: tcp, port: 22, ip: v4, cidr: "0.0.0.0/0" }
+    - { protocol: tcp, port: 22, ip: v6, cidr: "::/0" }
+    - { protocol: udp, port: 500, ip: v4, cidr: "0.0.0.0/0" }
+    - { protocol: udp, port: 500, ip: v6, cidr: "::/0" }
+    - { protocol: udp, port: 4500, ip: v4, cidr: "0.0.0.0/0" }
+    - { protocol: udp, port: 4500, ip: v6, cidr: "::/0" }
+    - { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: "0.0.0.0/0" }
+    - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }
+
  - name: Creating a server
    vultr_server:
      name: "{{ algo_server_name }}"
@ -16,6 +37,7 @@
      os: "{{ cloud_providers.vultr.os }}"
      plan: "{{ cloud_providers.vultr.size }}"
      region: "{{ algo_vultr_region }}"
+      firewall_group: "{{ algo_server_name }}"
      state: started
      tag: Environment:Algo
      ssh_key: "{{ ssh_key.vultr_ssh_key.name }}"