Skip to content
Snippets Groups Projects
Commit 4f738758 authored by Jörg Sachse's avatar Jörg Sachse
Browse files

fix: create working version of rpcbind configuration

parent 4b693b08
No related branches found
No related tags found
No related merge requests found
Pipeline #5623 passed
Stage: test
Hide whitespace changes
Inline Side-by-side
.gitlab-ci.yml
+ 2
2
View file @ 4f738758
...@@ -15,7 +15,7 @@ default: ...@@ -15,7 +15,7 @@ default:
variables: variables:
SCENARIO: "default" SCENARIO: "default"
# ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass" # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
ANSIBLE_VAULT_PASSWORD_FILE: "../../../lza_server_hardening.pass" ANSIBLE_VAULT_PASSWORD_FILE: "../lza_server_hardening.pass"
test-job: test-job:
...@@ -26,7 +26,7 @@ test-job: ...@@ -26,7 +26,7 @@ test-job:
- echo "CURRENT PATH= '$(pwd)'" - echo "CURRENT PATH= '$(pwd)'"
# make sure that Ansible Vaults are present and can be decrypted # make sure that Ansible Vaults are present and can be decrypted
- echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE} - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
- export ANSIBLE_VAULT_PASSWORD_FILE - export ANSIBLE_VAULT_PASSWORD_FILE="../../${ANSIBLE_VAULT_PASSWORD_FILE}"
- tree - tree
- rm -rf ../ansible_vaults/ - rm -rf ../ansible_vaults/
- git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \ - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
......
tasks/configure_rpcbind.yml
+ 8
6
View file @ 4f738758
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "/etc/systemd/system/rpcbind.socket.d/override.conf" path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
create: true create: true
mode: "0644"
marker: "### {mark} ANSIBLE MANAGED BLOCK - clear previous settings" marker: "### {mark} ANSIBLE MANAGED BLOCK - clear previous settings"
block: | block: |
# from `man 5 systemd.socket`: # from `man 5 systemd.socket`:
...@@ -34,24 +35,25 @@ ...@@ -34,24 +35,25 @@
when: rpcbind_installed when: rpcbind_installed
notify: daemon_reload notify: daemon_reload
- name: implement access control in rpcbind socket unit by creating an override - general settings - name: implement access control in rpcbind socket unit by creating an override - interface specific settings
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "/etc/systemd/system/rpcbind.socket.d/override.conf" path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
create: true create: true
marker: ### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }} mode: "0644"
marker: "### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}"
block: | block: |
ListenStream={{ item.source }} ListenStream={{ item.source }}
ListenDatagram={{ item.source }} ListenDatagram={{ item.source }}
loop: "{{ nfs_server_interfaces }}" loop: "{{ vault_nfs_server_interfaces }}"
when: rpcbind_installed when: rpcbind_installed
notify: daemon_reload notify: daemon_reload
- name: implement rpcbind access control in iptables - name: implement rpcbind access control in iptables
ansible.builtin.iptables: ansible.builtin.iptables:
action: "insert" action: "insert"
chain: "INPUP" chain: "INPUT"
comment: "{{ item.comment }}" comment: "allow rpcbind access from {{ item.comment }} for NFSv3"
source: "{{ item.source }}" source: "{{ item.source }}"
jump: "ACCEPT" jump: "ACCEPT"
loop: "{{ nfs_server_interfaces }}" loop: "{{ vault_nfs_server_interfaces }}"
notify: "save iptables rules" notify: "save iptables rules"
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

DE: Impressum · Datenschutzerklärung | EN: Legal Notice · Privacy Policy