diff --git a/ansible/roles/firewall_cmd/handlers/main.yml b/ansible/roles/firewall_cmd/handlers/main.yml new file mode 100644 index 0000000..28ee7b7 --- /dev/null +++ b/ansible/roles/firewall_cmd/handlers/main.yml @@ -0,0 +1,2 @@ +- name: Restart firewalld + command: systemctl restart firewalld \ No newline at end of file diff --git a/ansible/roles/firewall_cmd/tasks/main.yml b/ansible/roles/firewall_cmd/tasks/main.yml new file mode 100644 index 0000000..29e8a54 --- /dev/null +++ b/ansible/roles/firewall_cmd/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Install firewalld + zypper: + name: firewalld + state: present + notify: + - Restart firewalld + +- name: Enable and start firewalld + command: systemctl enable --now firewalld + register: firewalld_enable + changed_when: "'Created symlink' in firewalld_enable.stdout or 'enabled' in firewalld_enable.stdout" + notify: + - Restart firewalld + +- name: Open specified firewall ports permanently + loop: "{{ firewall_ports }}" + command: firewall-cmd --permanent --add-port={{ item.port }}/{{ item.protocol }} + register: firewalld_add_port + changed_when: "'success' in firewalld_add_port.stdout" + notify: + - Restart firewalld + +- name: Reload firewalld rules + command: firewall-cmd --reload + register: firewalld_reload + changed_when: "'success' in firewalld_reload.stdout" + notify: + - Restart firewalld \ No newline at end of file diff --git a/ansible/roles/firewall_cmd/vars/main.yml b/ansible/roles/firewall_cmd/vars/main.yml new file mode 100644 index 0000000..cd6143a --- /dev/null +++ b/ansible/roles/firewall_cmd/vars/main.yml @@ -0,0 +1,4 @@ +firewall_ports: + - { port: 22, protocol: tcp } + - { port: 80, protocol: tcp } + - { port: 443, protocol: tcp } \ No newline at end of file diff --git a/ansible/roles/ssl_certificate/tasks/main.yml b/ansible/roles/ssl_certificate/tasks/main.yml index 37b136d..7410bc6 100644 --- a/ansible/roles/ssl_certificate/tasks/main.yml +++ b/ansible/roles/ssl_certificate/tasks/main.yml @@ -1,10 +1,10 @@ - name: Install OpenSSL - zypper: + ansible.builtin.zypper: name: openssl state: present - name: Create SSL directory - file: + ansible.builtin.file: path: "{{ ssl_cert_path }}" state: directory owner: root @@ -18,10 +18,21 @@ type: RSA mode: '0600' +- name: Generate CSR (Certificate Signing Request) + community.crypto.openssl_csr: + path: "{{ ssl_cert_path }}/{{ ssl_csr_file }}" + privatekey_path: "{{ ssl_cert_path }}/{{ ssl_key_file }}" + common_name: "{{ ssl_common_name }}" + country_name: "{{ ssl_country }}" + state_or_province_name: "{{ ssl_state }}" + locality_name: "{{ ssl_locality }}" + organization_name: "{{ ssl_organization }}" + organizational_unit_name: "{{ ssl_organizational_unit }}" + - name: Generate Self-Signed SSL Certificate community.crypto.x509_certificate: path: "{{ ssl_cert_path }}/{{ ssl_cert_file }}" privatekey_path: "{{ ssl_cert_path }}/{{ ssl_key_file }}" - subject: "{{ ssl_subject }}" - provider: "openssl" - days: 365 \ No newline at end of file + csr_path: "{{ ssl_cert_path }}/{{ ssl_csr_file }}" + provider: selfsigned + force: yes \ No newline at end of file diff --git a/ansible/roles/ssl_certificate/vars/main.yml b/ansible/roles/ssl_certificate/vars/main.yml index dcf7d39..e366843 100644 --- a/ansible/roles/ssl_certificate/vars/main.yml +++ b/ansible/roles/ssl_certificate/vars/main.yml @@ -1,4 +1,11 @@ ssl_cert_path: "/etc/nginx/ssl" ssl_cert_file: "proxy.crt" ssl_key_file: "proxy.key" -ssl_subject: "/C=RU/ST=Some-State/L=Some-City/O=Your Company/CN={{ proxy.proxy_domain }}" \ No newline at end of file +ssl_csr_file: "proxy.csr" + +ssl_common_name: "{{ proxy.proxy_domain }}" +ssl_country: "RU" +ssl_state: "Some-State" +ssl_locality: "Some-City" +ssl_organization: "Your Company" +ssl_organizational_unit: "IT" \ No newline at end of file