feat: allow multiple SSH input ports

c0979593 · Théo - Le Filament · ce74b227 · c0979593 · c0979593 · c0979593
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,24 +4,28 @@
  ansible.builtin.service:
    name: netfilter-persistent
    state: restarted
+  when: not ansible_check_mode
 - name: "restart fail2ban"
  ansible.builtin.service:
    name: fail2ban
    state: restarted
+  when: not ansible_check_mode
 - name: "restart docker"
  ansible.builtin.service:
    name: docker
    state: restarted
-  when: inventory_hostname in groups.docker
+  when: not ansible_check_mode and inventory_hostname in groups.docker
 - name: "restart auditd"
  ansible.builtin.service:
    name: auditd
    state: restarted
+  when: not ansible_check_mode
 - name: "restart rsyslog"
  ansible.builtin.service:
    name: rsyslog
    state: restarted
+  when: not ansible_check_mode
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,18 +28,21 @@
    name: "fail2ban"
    enabled: true
    state: started
+  when: not ansible_check_mode
 - name: "Make sure netfilter-persistent is enabled"
  ansible.builtin.service:
    name: "netfilter-persistent"
    enabled: true
    state: started
+  when: not ansible_check_mode
 - name: "Make sure auditd is enabled"
  ansible.builtin.service:
    name: "auditd"
    enabled: true
    state: started
+  when: not ansible_check_mode
 - name: "Push specific fail2ban jail configuration file"
  tags:
@@ -85,6 +88,10 @@
    - "restart fail2ban"
 - name: "Create iptables configuration"
+  vars:
+    template_sshd_ports:
+      - "{{ default_sshd_port }}"
+      - "{{ force_sshd_port | default(None) }}"
  ansible.builtin.template:
    src: "iptables.conf.j2"
    dest: "/etc/iptables/rules.v4"
@@ -97,6 +104,10 @@
    - "restart docker"
 - name: "Create ip6tables configuration"
+  vars:
+    template_sshd_ports:
+      - "{{ default_sshd_port }}"
+      - "{{ force_sshd_port | default(None) }}"
  ansible.builtin.template:
    src: "ip6tables.conf.j2"
    dest: "/etc/iptables/rules.v6"

--- a/templates/ip6tables.conf.j2
+++ b/templates/ip6tables.conf.j2
@@ -14,7 +14,11 @@
 # Autoriser le DHCPv6 sur le lien local uniquement
 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT
 # SSH
-A INPUT -p tcp -m tcp --dport {{ default_sshd_port }} -j ACCEPT
+{% for port in template_sshd_ports | default([2222]) %}
+{% if port %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endif %}
+{% endfor %}
 {% if inventory_hostname in groups.gitlab | default([]) %}
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 # REGISTRY

--- a/templates/iptables.conf.j2
+++ b/templates/iptables.conf.j2
@@ -26,7 +26,11 @@
 -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 {% endif %}
 # SSH
-A INPUT -p tcp -m tcp --dport {{ default_sshd_port }} -j ACCEPT
+{% for port in template_sshd_ports | default([2222]) %}
+{% if port %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endif %}
+{% endfor %}
 {% if inventory_hostname in groups.gitlab | default([]) %}
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 # REGISTRY