joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1be71222514b54741c08f6150a076781001f539a
rick-infra/roles/gitea/tasks/firewall.yml
Joakim 2fe194ba82 Implement modular nftables architecture and Gitea SSH firewall management 
- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.
2025-12-16 21:45:22 +01:00

52 lines
1.3 KiB
YAML
Raw Blame History

---
# Gitea Firewall Configuration - Rick-Infra
# Self-contained firewall management for Gitea SSH access
# Opens port 2222 for Gitea's SSH server
- name: Install nftables (if not present)
pacman:
name: nftables
state: present
- name: Create nftables rules directory
file:
path: /etc/nftables.d
state: directory
mode: '0755'
- name: Deploy Gitea nftables rules
template:
src: gitea.nft.j2
dest: /etc/nftables.d/50-gitea.nft
mode: '0644'
notify: reload nftables
register: gitea_nft_deployed
- name: Validate nftables loader configuration
command: nft -c -f /etc/nftables-load.conf
changed_when: false
failed_when: false
register: nft_validation
- name: Display nftables validation results
debug:
msg: "{{ 'nftables configuration valid' if nft_validation.rc == 0 else 'nftables validation failed: ' + nft_validation.stderr }}"
when: nft_validation is defined
- name: Enable and start nftables service
systemd:
name: nftables
enabled: yes
state: started
- name: Display Gitea firewall status
debug:
msg: |
🔥 Gitea firewall configuration deployed
📍 Rule file: /etc/nftables.d/50-gitea.nft
🔓 Port opened: {{ gitea_ssh_port }} (Gitea SSH)
⚠️ Note: nftables will reload automatically via handler
# Rick-Infra: Self-contained firewall management per role
Reference in New Issue View Git Blame Copy Permalink