Initial commit

.gitignore

@@ -0,0 +1 @@
+.cache

.travis.yml

@@ -0,0 +1,14 @@
+---
+sudo: required
+language: python
+services:
+  - docker
+before_install:
+  - sudo apt-get -qq update
+install:
+  - pip install molecule
+  - pip install docker
+script:
+  - molecule test
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

.yamllint

@@ -0,0 +1,11 @@
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
+  truthy: disable

LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2014 Pieterjan Vandaele
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,79 @@
+# Ansible Role: UFW
+
+[![Build Status](https://travis-ci.org/markahesketh/ansible-role-ufw.svg?branch=master)](https://travis-ci.org/markahesketh/ansible-role-ufw)
+
+Ansible role to manage UFW (Uncomplicated Firewall), a firewall configuration tool for Ubuntu/Debian systems.
+
+## Installation
+
+```
+ansible-galaxy install markahesketh.ufw
+```
+
+## Role Variables
+
+Default values are listed below (see [`defaults/main.yml`](defaults/main.yml)):
+
+```yml
+ufw_default_policy: deny
+
+ufw_rules:
+  - to_port: 22
+    rule: limit
+  - to_port: 80
+    rule: allow
+  - to_port: 443
+    rule: allow
+```
+
+The `ufw_rules` variable is an array of objects, with the following options from the [UFW module](http://docs.ansible.com/ansible/latest/ufw_module.html):
+
+```yml
+ufw_rules:
+  - to_port:
+    rule:
+    proto:
+    to_ip:
+    from_port:
+    from_ip:
+    interface:
+    direction:
+    log:
+```
+
+You can specify the firewall's default policy with the `ufw_default_policy` variable, which accepts `allow`, `deny` and `reject ` as options.
+
+```yml
+ufw_default_policy: "allow|deny|reject"
+```
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+```yml
+- hosts: web
+  roles:
+    - markahesketh.ufw
+```
+
+## Testing
+
+    molecule test
+
+Requires [Molecule](https://molecule.readthedocs.io/en/latest/) and [Docker](https://docs.docker.com/engine/installation/).
+
+## License
+
+This role is open-sourced software licensed under the [MIT license](http://opensource.org/licenses/MIT).
+
+## Author
+
+By [Mark Hesketh](https://www.markhesketh.co.uk/), a web developer from Manchester, UK.
+
+* Blog: [markhesketh.co.uk](https://www.markhesketh.co.uk/)
+* Twitter: [twitter.com/markahesketh](https://www.twitter.com/markahesketh/)
+* GitHub: [github.com/markahesketh](http://www.github.com/heskethm/)
+* Email: [[email protected]](mailto:[email protected])

defaults/main.yml

@@ -0,0 +1,10 @@
+---
+ufw_default_policy: deny
+
+ufw_rules:
+  - to_port: 22
+    rule: limit
+  - to_port: 80
+    rule: allow
+  - to_port: 443
+    rule: allow

meta/main.yml

@@ -0,0 +1,24 @@
+---
+galaxy_info:
+  author: Mark Hesketh
+  description: UFW (Uncomplicated Firewall), firewall configuration for Debian/Ubuntu
+  license: MIT
+  min_ansible_version: 2.0
+  platforms:
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+  categories:
+    - system
+    - ubuntu
+    - debian
+    - ufw
+    - firewall
+    - install
+    - web
+    - security
+    - server
+dependencies: []

molecule/default/.molecule/Dockerfile_debian_8

@@ -0,0 +1,7 @@
+FROM debian:8
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/.molecule/Dockerfile_debian_9

@@ -0,0 +1,7 @@
+FROM debian:9
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/.molecule/Dockerfile_ubuntu_12_04

@@ -0,0 +1,7 @@
+FROM ubuntu:12.04
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/.molecule/Dockerfile_ubuntu_14_04

@@ -0,0 +1,7 @@
+FROM ubuntu:14.04
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/.molecule/Dockerfile_ubuntu_16_04

@@ -0,0 +1,7 @@
+FROM ubuntu:16.04
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/.molecule/ansible.cfg

@@ -0,0 +1,10 @@
+# Molecule managed
+
+[ssh_connection]
+control_path = %(directory)s/%%h-%%p-%%r
+scp_if_ssh = True
+[defaults]
+host_key_checking = False
+ansible_managed = Ansible managed: Do NOT edit this file manually!
+retry_files_enabled = False
+nocows = 1

molecule/default/.molecule/ansible_inventory.yml

@@ -0,0 +1,11 @@
+# Molecule managed
+
+---
+all:
+  hosts:
+    instance: &id001
+      ansible_connection: docker
+ungrouped:
+  hosts:
+    instance: *id001
+  vars: {}

molecule/default/.molecule/state.yml

@@ -0,0 +1,7 @@
+# Molecule managed
+
+---
+converged: false
+created: false
+driver: null
+prepared: null

molecule/default/Dockerfile.j2

@@ -0,0 +1,7 @@
+FROM {{ item.image }}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

molecule/default/INSTALL.rst

@@ -0,0 +1,16 @@
+*******
+Install
+*******
+
+Requirements
+============
+
+* Docker Engine
+* docker-py
+
+Install
+=======
+
+.. code-block:: bash
+
+  $ sudo pip install docker-py

molecule/default/create.yml

@@ -0,0 +1,47 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}"
+    molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Create Dockerfiles from image names
+      template:
+        src: "{{ molecule_scenario_directory }}/Dockerfile.j2"
+        dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}"
+      with_items: "{{ molecule_yml.platforms }}"
+      register: platforms
+
+    - name: Discover local Docker images
+      docker_image_facts:
+        name: "molecule_local/{{ item.item.name }}"
+      with_items: "{{ platforms.results }}"
+      register: docker_images
+
+    - name: Build an Ansible compatible image
+      docker_image:
+        path: "{{ molecule_ephemeral_directory }}"
+        name: "molecule_local/{{ item.item.image }}"
+        dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}"
+        force: "{{ item.item.force | default(True) }}"
+      with_items: "{{ platforms.results }}"
+      when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0
+
+    - name: Create molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        hostname: "{{ item.name }}"
+        image: "molecule_local/{{ item.image }}"
+        state: started
+        recreate: False
+        log_driver: syslog
+        command: "{{ item.command | default('sleep infinity') }}"
+        privileged: "{{ item.privileged | default(omit) }}"
+        volumes: "{{ item.volumes | default(omit) }}"
+        capabilities: "{{ item.capabilities | default(omit) }}"
+      with_items: "{{ molecule_yml.platforms }}"

molecule/default/destroy.yml

@@ -0,0 +1,16 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Destroy molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        state: absent
+        force_kill: "{{ item.force_kill | default(True) }}"
+      with_items: "{{ molecule_yml.platforms }}"

molecule/default/molecule.yml

@@ -0,0 +1,33 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: instance
+    image: debian:8
+    privileged: yes
+  - name: instance
+    image: debian:9
+    privileged: yes
+  - name: instance
+    image: ubuntu:12.04
+    privileged: yes
+  - name: instance
+    image: ubuntu:14.04
+    privileged: yes
+  - name: instance
+    image: ubuntu:16.04
+    privileged: yes
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

molecule/default/playbook.yml

@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: ansible-role-ufw

molecule/default/prepare.yml

@@ -0,0 +1,5 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: False
+  tasks: []

molecule/default/tests/test_default.py

@@ -0,0 +1,16 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_ufw_installed(host):
+    ufw = host.package("ufw")
+    assert ufw.is_installed
+
+
+def test_ufw_is_enabled(host):
+    ufw = host.service("ufw")
+    assert ufw.is_enabled