Home Explore Help
Sign In
sarman
/
tftsr_ai
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 342cbd123d
Branches Tags
tftsr_ai
/
tftsr_nginx-hardening
/
nginx-hardening
/
roles
/
geo_blocking
/
tasks
/
main.yml

main.yml 3.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 
  1. ---
    2. 

  2. - name: Ensure nftables.d directory exists
    3. 

  3.   ansible.builtin.file:
    4. 

  4.     path: "{{ geo_nft_table_dir }}"
    5. 

  5.     state: directory
    6. 

  6.     owner: root
    7. 

  7.     group: root
    8. 

  8.     mode: '0755'
    9. 

  9. 

  10. - name: Create temp directory for zone files
    11. 

  11.   ansible.builtin.tempfile:
    12. 

  12.     state: directory
    13. 

  13.     suffix: geo_zones
    14. 

  14.   register: geo_temp_dir
    15. 

  15. 

  16. # --- Source: live download ---
    17. 

  17. 

  18. - name: Test connectivity to ipdeny.com (fast pre-check)
    19. 

  19.   ansible.builtin.uri:
    20. 

  20.     url: "{{ geo_ipdeny_base_url }}/us-aggregated.zone"
    21. 

  21.     method: HEAD
    22. 

  22.     timeout: 8
    23. 

  23.   register: geo_connectivity_check
    24. 

  24.   ignore_errors: yes
    25. 

  25.   when: geo_zone_files_dir | length == 0
    26. 

  26. 

  27. - name: Fail fast if ipdeny.com is unreachable and no local cache configured
    28. 

  28.   ansible.builtin.fail:
    29. 

  29.     msg: >-
    30. 

  30.       Cannot reach ipdeny.com (connection timed out or refused) and
    31. 

  31.       geo_zone_files_dir is not set. Pre-download zone files on a machine
    32. 

  32.       with internet access using scripts/download-geo-zones.sh, copy them
    33. 

  33.       to this host, then set geo_zone_files_dir in inventory or with -e.
    34. 

  34.   when:
    35. 

  35.     - geo_zone_files_dir | length == 0
    36. 

  36.     - geo_connectivity_check is failed
    37. 

  37. 

  38. - name: Download zone files for blocked countries
    39. 

  39.   ansible.builtin.get_url:
    40. 

  40.     url: "{{ geo_ipdeny_base_url }}/{{ item.code | lower }}-aggregated.zone"
    41. 

  41.     dest: "{{ geo_temp_dir.path }}/{{ item.code | lower }}.zone"
    42. 

  42.     timeout: 30
    43. 

  43.   loop: "{{ geo_countries | selectattr('blocked', 'equalto', true) | list }}"
    44. 

  44.   loop_control:
    45. 

  45.     label: "{{ item.code }}"
    46. 

  46.   ignore_errors: yes
    47. 

  47.   when:
    48. 

  48.     - geo_zone_files_dir | length == 0
    49. 

  49.     - geo_connectivity_check is succeeded
    50. 

  50. 

  51. # --- Source: local pre-downloaded cache ---
    52. 

  52. 

  53. - name: Copy zone files from local cache directory
    54. 

  54.   ansible.builtin.copy:
    55. 

  55.     src: "{{ geo_zone_files_dir }}/{{ item.code | lower }}.zone"
    56. 

  56.     dest: "{{ geo_temp_dir.path }}/{{ item.code | lower }}.zone"
    57. 

  57.     remote_src: yes
    58. 

  58.   loop: "{{ geo_countries | selectattr('blocked', 'equalto', true) | list }}"
    59. 

  59.   loop_control:
    60. 

  60.     label: "{{ item.code }}"
    61. 

  61.   ignore_errors: yes
    62. 

  62.   when: geo_zone_files_dir | length > 0
    63. 

  63. 

  64. # --- Assemble and deploy ---
    65. 

  65. 

  66. - name: Assemble all CIDRs from downloaded zone files
    67. 

  67.   ansible.builtin.shell: >
    68. 

  68.     cat {{ geo_temp_dir.path }}/*.zone 2>/dev/null |
    69. 

  69.     grep -v '^#' | grep -v '^$' | sort -u
    70. 

  70.   register: geo_cidrs_raw
    71. 

  71.   changed_when: false
    72. 

  72. 

  73. - name: Set geo_blocked_cidrs fact
    74. 

  74.   ansible.builtin.set_fact:
    75. 

  75.     geo_blocked_cidrs: "{{ geo_cidrs_raw.stdout_lines }}"
    76. 

  76. 

  77. - name: Deploy geo-block nftables ruleset
    78. 

  78.   ansible.builtin.template:
    79. 

  79.     src: geo-block.nft.j2
    80. 

  80.     dest: "{{ geo_nft_file }}"
    81. 

  81.     owner: root
    82. 

  82.     group: root
    83. 

  83.     mode: '0644'
    84. 

  84.     backup: yes
    85. 

  85.   notify: reload nftables
    86. 

  86. 

  87. - name: Ensure nftables.conf includes geo-block.nft
    88. 

  88.   ansible.builtin.lineinfile:
    89. 

  89.     path: /etc/sysconfig/nftables.conf
    90. 

  90.     line: 'include "{{ geo_nft_file }}"'
    91. 

  91.     state: present
    92. 

  92.     backup: yes
    93. 

  93. 

  94. - name: Enable and start nftables service
    95. 

  95.   ansible.builtin.service:
    96. 

  96.     name: nftables
    97. 

  97.     state: started
    98. 

  98.     enabled: yes
    99. 

  99. 

  100. - name: Clean up temp directory
    101. 

  101.   ansible.builtin.file:
    102. 

  102.     path: "{{ geo_temp_dir.path }}"
    103. 

  103.     state: absent
    104.