public-mirrors/NewsBlur
1
0
Fork 0
mirror of https://github.com/samuelclay/NewsBlur.git synced 2025-09-18 21:50:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Speeding up ufw by batching up the commands.

Browse source
This commit is contained in:
Samuel Clay 2024-02-18 14:51:48 -05:00
parent 795f2e2030
commit 5b8fb50681
2 changed files with 112 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

160
ansible/roles/ufw/tasks/main.yml
View file

@ -1,4 +1,16 @@
--- ---
- name: Set hosts
set_fact:
hetzner_hosts: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
do_hosts: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
- name: Generate UFW batch script
template:
src: ufw_rules.sh.j2
dest: /tmp/ufw_rules.sh
mode: '0755'
- name: Stop ufw and delete all rules - name: Stop ufw and delete all rules
become: yes become: yes
ufw: state=reset ufw: state=reset
@ -16,83 +28,87 @@
# - name: Set ufw policy to allow all ougoing connections # - name: Set ufw policy to allow all ougoing connections
# ufw: policy=allow direction=outgoing # ufw: policy=allow direction=outgoing
# tags: ufw # tags: ufw
- name: Execute UFW batch script
become: yes
command: /tmp/ufw_rules.sh
# - name: Allow ssh
# become: yes
# ufw: rule=allow port=22
# tags: ufw
# - name: Allow all access from RFC1918 networks to this host
# become: yes
# ufw:
# rule: allow
# src: '{{ item }}'
# with_items:
# - 10.0.0.0/8
# - 172.18.0.0/16
# - 172.17.0.0/16
# tags:
# - firewall
# - ufw
- name: Allow ssh # - name: Allow all access from Hetzner inventory hosts
become: yes # become: yes
ufw: rule=allow port=22 # ufw:
tags: ufw # rule: allow
# src: '{{ item }}'
# with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
# tags:
# - firewall
# - ufw
# - hetzner_firewall
# - hfirewall
- name: Allow all access from RFC1918 networks to this host # - name: Allow all access from Hetzner inventory hosts with docker
become: yes # become: yes
ufw: # ufw:
rule: allow # rule: allow
src: '{{ item }}' # route: yes
with_items: # src: '{{ item }}'
- 10.0.0.0/8 # with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
- 172.18.0.0/16 # tags:
- 172.17.0.0/16 # - firewall
tags: # - ufw
- firewall # - hetzner_firewall
- ufw # - hfirewall
- name: Allow all access from Hetzner inventory hosts
become: yes
ufw:
rule: allow
src: '{{ item }}'
with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}"
tags:
- firewall
- ufw
- hetzner_firewall
- hfirewall
- name: Allow all access from Hetzner inventory hosts with docker # - name: Allow all access from inventory hosts old + new
become: yes # become: yes
ufw: # ufw:
rule: allow # rule: allow
route: yes # src: '{{ item }}'
src: '{{ item }}' # with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
with_items: "{{ groups['hall'] | map('extract', hostvars, ['ansible_host']) }}" # when: "'oldandnew' in groups"
tags: # tags:
- firewall # - firewall
- ufw # - ufw
- hetzner_firewall
- hfirewall
- name: Allow all access from inventory hosts old + new # - name: Allow all access from inventory hosts
become: yes # become: yes
ufw: # ufw:
rule: allow # rule: allow
src: '{{ item }}' # src: '{{ item }}'
with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}" # with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
when: "'oldandnew' in groups" # when: "'oldandnew' not in groups"
tags: # tags:
- firewall # - firewall
- ufw # - ufw
- name: Allow all access from inventory hosts # - name: Allow all access from inventory hosts with docker
become: yes # become: yes
ufw: # ufw:
rule: allow # rule: allow
src: '{{ item }}' # route: yes
with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}" # src: '{{ item }}'
when: "'oldandnew' not in groups" # with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
tags: # when: "'oldandnew' not in groups"
- firewall # tags:
- ufw # - firewall
# - ufw
- name: Allow all access from inventory hosts with docker
become: yes
ufw:
rule: allow
route: yes
src: '{{ item }}'
with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
when: "'oldandnew' not in groups"
tags:
- firewall
- ufw
# Code from https://stackoverflow.com/a/51741599/8717: "What is the best practice of docker + ufw under Ubuntu" # Code from https://stackoverflow.com/a/51741599/8717: "What is the best practice of docker + ufw under Ubuntu"
- name: Solving UFW and Docker issues by adding ufw after.rules - name: Solving UFW and Docker issues by adding ufw after.rules

24
ansible/roles/ufw/templates/ufw_rules.sh.j2 Normal file
View file

@ -0,0 +1,24 @@
#!/bin/bash
# Apply UFW rules in batch
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
# Allow SSH
ufw allow 22
ufw allow from 10.0.0.0/8
ufw allow from 172.18.0.0/16
ufw allow from 172.17.0.0/16
{% for host in hetzner_hosts %}
ufw allow from {{ host }}
ufw route allow from {{ host }}
{% endfor %}
{% for host in do_hosts %}
ufw allow from {{ host }}
ufw route allow from {{ host }}
{% endfor %}
ufw --force enable