diff --git a/README.md b/README.md index cd0c02e..943af82 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,6 @@ My droplets configuration like image above. * In this case i'm create freestyle jobs project on jenkins which run some command and invoke ansible-playbook 2. Configure **instance-b** * Register ssh-key jenkins@instance-a on DigitalOcean so this instance auto get ssh-key for deployment server - * Create instance-b with minimum specification 2GB of RAM * Let the rest configuration executed in instance-a ## Result diff --git a/images/topology.jpeg b/images/topology.jpeg index c06586e..5a5e7da 100644 Binary files a/images/topology.jpeg and b/images/topology.jpeg differ diff --git a/instance-a-firewall.yml b/instance-a-firewall.yml new file mode 100644 index 0000000..6ec26ad --- /dev/null +++ b/instance-a-firewall.yml @@ -0,0 +1,5 @@ +--- +- name: Instance-b Playbook for firewall configuration + hosts: instance_b_production + roles: + - instance-a-fw \ No newline at end of file diff --git a/instance-a.yml b/instance-a.yml index 574a1e4..0569f69 100644 --- a/instance-a.yml +++ b/instance-a.yml @@ -2,7 +2,9 @@ - name: Instance-a Playbook hosts: instance_a roles: + - docker - docker-nginx + - jenkins # 3 roles yang dijalankan pada playbook ini adalah docker, jenkins, docker-nginx \ No newline at end of file diff --git a/instance-b-firewall.yml b/instance-b-firewall.yml index 357a946..4eeaec0 100644 --- a/instance-b-firewall.yml +++ b/instance-b-firewall.yml @@ -2,4 +2,4 @@ - name: Instance-b Playbook for firewall configuration hosts: instance_b_production roles: - - elastic-fw \ No newline at end of file + - instance-b-fw \ No newline at end of file diff --git a/roles/instance-a-fw/tasks/main.yml b/roles/instance-a-fw/tasks/main.yml new file mode 100644 index 0000000..78311a0 --- /dev/null +++ b/roles/instance-a-fw/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: ufw allow ssh + become: yes + ufw: + rule: allow + port: ssh + proto: tcp + +- name: enable ufw + become: yes + ufw: + state: enabled + +- name: Render configuration starter from template + become: yes + template: + src: before.rules.j2 + dest: /etc/ufw/before.rules + +- name: Reload configuration + become: yes + ufw: + state: reloaded diff --git a/roles/instance-a-fw/templates/before.rules.j2 b/roles/instance-a-fw/templates/before.rules.j2 new file mode 100644 index 0000000..b2970e7 --- /dev/null +++ b/roles/instance-a-fw/templates/before.rules.j2 @@ -0,0 +1,82 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-before-input +# ufw-before-output +# ufw-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-before-input - [0:0] +:ufw-before-output - [0:0] +:ufw-before-forward - [0:0] +:ufw-not-local - [0:0] +# End required lines + + +# allow all on loopback +-A ufw-before-input -i lo -j ACCEPT +-A ufw-before-output -o lo -j ACCEPT + +# quickly process packets for which we already have a connection +-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# drop INVALID packets (logs these in loglevel medium and higher) +-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny +-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +# ok icmp codes for INPUT +# -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +# -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT +# -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT +# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + +# deny icmp codes for INPUT +-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP +-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP +-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP +-A ufw-before-input -p icmp --icmp-type echo-request -j DROP + +# ok icmp code for FORWARD +-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT + +# allow dhcp client to work +-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +# +# ufw-not-local +# +-A ufw-before-input -j ufw-not-local + +# if LOCAL, RETURN +-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN + +# if MULTICAST, RETURN +-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN + +# if BROADCAST, RETURN +-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN + +# all other non-local packets are dropped +-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny +-A ufw-not-local -j DROP + +# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above +# is uncommented) +-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT + +# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above +# is uncommented) +-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT +root@in \ No newline at end of file diff --git a/roles/elastic-fw/tasks/main.yml b/roles/instance-b-fw/tasks/main.yml similarity index 100% rename from roles/elastic-fw/tasks/main.yml rename to roles/instance-b-fw/tasks/main.yml