Include configuration of the UFW firewall to help "lock down" AzuraCast instances.
This commit is contained in:
parent
98a15cc578
commit
48a182c339
|
@ -30,7 +30,7 @@ if [ "" == "$PKG_OK" ]; then
|
|||
fi
|
||||
|
||||
APP_ENV="${APP_ENV:-production}"
|
||||
UPDATE_REVISION="{$UPDATE_REVISION:-10"
|
||||
UPDATE_REVISION="{$UPDATE_REVISION:-12"
|
||||
|
||||
echo "Updating AzuraCast (Environment: $APP_ENV)"
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
- nginx
|
||||
- php
|
||||
- mariadb
|
||||
- ufw
|
||||
- composer
|
||||
- azuracast-db
|
||||
- { role: azuracast-cron, when: testing_mode == false }
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
- name: Install UFW Firewall
|
||||
become: true
|
||||
apt: pkg="{{ item }}" state=latest
|
||||
with_items:
|
||||
- ufw
|
||||
|
||||
- name: UFW - Disable all other incoming by default
|
||||
ufw:
|
||||
policy: deny
|
||||
|
||||
- name: UFW - Enable AzuraCast TCP Ports
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ item }}"
|
||||
proto: tcp
|
||||
with_items:
|
||||
- 80
|
||||
- 443
|
||||
- '8000:8999'
|
||||
|
||||
- name: UFW - Enable SSH
|
||||
ufw:
|
||||
rule: allow
|
||||
port: ssh
|
||||
proto: tcp
|
||||
|
||||
- name: UFW - Turn on Firewall
|
||||
ufw:
|
||||
state: enabled
|
|
@ -14,9 +14,12 @@
|
|||
- init
|
||||
- azuracast-config
|
||||
- { role: azuracast-radio, when: update_revision|int < 8 }
|
||||
|
||||
- { role: nginx, when: update_revision|int < 10 }
|
||||
- { role: php, when: update_revision|int < 10 }
|
||||
- { role: supervisord, when: update_revision|int < 11 }
|
||||
- { role: influxdb, when: update_revision|int < 10 }
|
||||
- { role: ufw, when: update_revision|int < 12 }
|
||||
|
||||
- { role: azuracast-cron, when: update_revision|int < 2 }
|
||||
- azuracast-update
|
Loading…
Reference in New Issue