Include configuration of the UFW firewall to help "lock down" AzuraCast instances.

2017-06-06 18:02:15 -05:00 · 2017-06-06 18:02:15 -05:00 · 48a182c339
parent 98a15cc578
commit 48a182c339
4 changed files with 35 additions and 1 deletions
--- a/update.sh
+++ b/update.sh
@ -30,7 +30,7 @@ if [ "" == "$PKG_OK" ]; then
 fi

 APP_ENV="${APP_ENV:-production}"
-UPDATE_REVISION="{$UPDATE_REVISION:-10"
+UPDATE_REVISION="{$UPDATE_REVISION:-12"

 echo "Updating AzuraCast (Environment: $APP_ENV)"

--- a/util/ansible/deploy.yml
+++ b/util/ansible/deploy.yml
@ -23,6 +23,7 @@
    - nginx
    - php
    - mariadb
+    - ufw
    - composer
    - azuracast-db
    - { role: azuracast-cron, when: testing_mode == false }
--- a/util/ansible/roles/ufw/tasks/main.yml
+++ b/util/ansible/roles/ufw/tasks/main.yml
@ -0,0 +1,30 @@
+---
+- name: Install UFW Firewall
+  become: true
+  apt:  pkg="{{ item }}" state=latest
+  with_items:
+    - ufw
+
+- name: UFW - Disable all other incoming by default
+  ufw:
+    policy: deny
+
+- name: UFW - Enable AzuraCast TCP Ports
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  with_items:
+   - 80
+   - 443
+   - '8000:8999'
+
+- name: UFW - Enable SSH
+  ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: UFW - Turn on Firewall
+  ufw:
+    state: enabled
--- a/util/ansible/update.yml
+++ b/util/ansible/update.yml
@ -14,9 +14,12 @@
    - init
    - azuracast-config
    - { role: azuracast-radio, when: update_revision|int < 8 }
+
    - { role: nginx, when: update_revision|int < 10 }
    - { role: php, when: update_revision|int < 10 }
    - { role: supervisord, when: update_revision|int < 11 }
    - { role: influxdb, when: update_revision|int < 10 }
+    - { role: ufw, when: update_revision|int < 12 }
+
    - { role: azuracast-cron, when: update_revision|int < 2 }
    - azuracast-update