An Ansible Role that manages Hetzner Robot Firewall.
- Existing Hetzner Online GmbH Account.
- Configured Hetzner Robot Webservice Account.
| Name | Type | Version | Location |
|---|---|---|---|
| ansible-filter | Python package | 1.0.1 | Control node |
Available variables are listed below, along with default values (see defaults/main.yml):
hetzner_firewall_webservice_base_url: https://robot-ws.your-server.de
Base url that is pointing to the Hetzner Robot API. The variable is mostly utilized for testing purposes, there is no need to change the default.
hetzner_firewall_webservice_username: robot
Webservice login name. May be set/changed as described in the section Change Access Data (Hetzner Wiki).
hetzner_firewall_webservice_password: secret
Webservice password. May be set/changed as described in the section Change Access Data (Hetzner Wiki).
hetzner_firewall_templates:
- name: New Template
whitelist_hos: true
is_default: false
rules:
input:
- action: accept
ip_version: ipv4
name: Allow all
Multiple firewall templates may be managed using hetzner_firewall_templates variable. A firewall template is
identified by the name attribute. The name must be unique to omit collision/unexpected behavior.
The state attribute for a template defaults to present.
hetzner_firewall_templates:
- name: New Template
state: absent
To ensure the template is removed add state: absent. The name attribute remains mandatory to identify origin state.
hetzner_firewall_host:
name: New Template
Host firewall may be managed by referencing an existing firewall template from the hetzner_firewall_templates list.
The variable hetzner_firewall_host may be defined for a particular host group or a dedicated host. Undefined hetzner_firewall_host
leaves the related host or host group firewall being ignored by the role.
hetzner_firewall_host:
absent: true
To remove the firewall configuration for a particular host add state: absent to the host firewall configuration.
Additional configuration parameters do not take effect when state: absent is provided.
hetzner_firewall_host:
status: disabled
To disable the firewall for configuration for a particular host add status: disabled to the host firewall configuration.
Additional configuration parameters do not take effect when state: disabled is provided.
hetzner_firewall_webservice_concurrent_requests: 1
hetzner_firewall_webservice_concurrent_poll: 1
To speed up the role execution while handling the firewall configuration for a big amount of hosts, the number of parallel requests made to the Hetzner Robot API
can be controlled by hetzner_firewall_webservice_concurrent_requests variable. The poll interval for asynchronous request
result processing is set using hetzner_firewall_webservice_concurrent_poll. Check official documentation on
Asynchronous Actions and Polling for more explanation.
Tags can be used to limit the role execution to a particular task module. Following tags are available:
hetzner_firewall,config: Covers the full role lifecycle.hetzner_firewall_template: Manages firewall templates.hetzner_firewall_host: Manages hosts firewall.
None.
- hosts: all
roles:
- nl2go.hetzner_firewall
hetzner_firewall_templates:
- name: Real World Template
whitelist_hos: true
is_default: true
rules:
input:
- name: Allow ICMP
action: accept
ip_version: ipv4
protocol: icmp
- name: Allow TCP based downloads
action: accept
ip_version: ipv4
protocol: tcp
dst_port: 32768-65535
tcp_flags: syn
- name: Allow UDP based downloads
action: accept
ip_version: ipv4
protocol: tcp
dst_port: 32768-65535
- name: Allow SSH Office IP
action: accept
ip_version: ipv4
protocol: tcp
src_ip: 1.1.1.1/32
dst_port: '22'
- name: Allow private range 1
action: accept
ip_version: ipv4
src_ip: 10.0.0.0/8
Use docker-molecule following the instructions to run Molecule or install Molecule locally (not recommended, version conflicts might appear).
Use following to run tests:
molecule test --all
This role relies on hetzner-robot-api-mock to simulate interactions with the Hetzner Robot API.
See the LICENSE.md file for details.
This role was created by in 2019 by Newsletter2Go GmbH.