pending changes

inventory/group_vars/all/global.yml

@@ -0,0 +1,3 @@
+---
+
+global_public_ip_address: 82.66.135.228

inventory/host_vars/ks3370405.yml

@@ -3,7 +3,7 @@
 web_hostname:
   - host: mail-relay.mateu.be
 
-allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}"
 
 global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
 ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"

inventory/static.yml

@@ -25,6 +25,7 @@ physicalservers:
   hosts:
     frederica:
     serenor:
+    ks3370405:
 
 webservers:
   hosts:

playbooks/global_smtprelay.yml

@@ -3,5 +3,4 @@
 - name: Install & configure the global SMTP relay
   hosts: ks3370405
   roles:
-    - ufw
     - global_smtp_relay

playbooks/site.yml

@@ -20,6 +20,8 @@
   import_playbook: mail.yml
 - name: Run global_smtprelay playbook
   import_playbook: global_smtprelay.yml
+- name: Run ufw plabook
+  import_playbook: ufw.yml
 - name: Run xmpp playbook
   import_playbook: xmpp.yml
 - name: Run webservers playbook

playbooks/ufw.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Install & configure UFW
+  hosts: ks3370405
+  roles:
+    - ufw

roles/firewall/templates/firewall.j2

@@ -350,6 +350,53 @@ config redirect
 	option dest_port '64738'
 	option target 'DNAT'
 
+# Allow DNS traffic
+config rule
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
+	option dest_port '53'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	option src_dport '53'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
+	option dest_port '53'
+	option target 'DNAT'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
 # Allow mail traffic
 config rule
 	option name 'Allow-OUTPUT-SMTP'

roles/global_smtp_relay/templates/main.cf.j2

@@ -4,7 +4,7 @@ myhostname = mail-relay.mateu.be
 myorigin = $myhostname
 mydestination = $myhostname, localhost.$mydomain, localhost
 unknown_local_recipient_reject_code = 550
-mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
+mynetworks = 127.0.0.0/8, [::1]/128, {{ global_smtp_relay_allowed_ips | join(', ') }}
 sendmail_path = /usr/bin/sendmail
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq

roles/ufw/tasks/main.yml

@@ -34,6 +34,11 @@
     src: "{{ item }}"
   loop: "{{ ufw_allowed_smtp_ips }}"
 
+- name: Allow incoming DNS
+  community.general.ufw:
+    rule: allow
+    port: domain
+
 - name: Set logging
   community.general.ufw:
     logging: "on"