Add ufw task, update http access and node config

2018-11-08 21:49:19 -08:00 · 2018-11-08 21:49:19 -08:00 · 70e3ed3627
parent f85874f609
commit 70e3ed3627
9 changed files with 81 additions and 11 deletions
--- a/aws/group_vars/all.yml.example
+++ b/aws/group_vars/all.yml.example
@ -117,5 +117,5 @@ blockscout_security_group: "{{ MAIN_REPO_FETCH }}-{{ GENESIS_BRANCH }}-blockscou

 allow_blockscout_ssh: true
 allow_blockscout_p2p: true
-allow_blockscout_http: true
+allow_blockscout_http: false

--- a/aws/roles/blockscout-access/tasks/ec2.yml
+++ b/aws/roles/blockscout-access/tasks/ec2.yml
@ -83,7 +83,7 @@
  - "30303"
  when: allow_blockscout_p2p == true

- name: Add http-3000 access
+- name: Add http-4000 access
  delegate_to: localhost
  ec2_group:
    ec2_access_key: "{{ access_key }}"
@ -99,5 +99,5 @@
      to_port: "{{ item }}"
      cidr_ip: 0.0.0.0/0
  with_items:
-  - "3000"
+  - "4000"
  when: allow_blockscout_http == true
--- a/group_vars/all.yml.example
+++ b/group_vars/all.yml.example
@ -179,8 +179,14 @@ api_version: "9773b5b"
 ##Blockscout-related variables

 #Explicitly specified api version to use
-blockscout_version: "master"
+blockscout_version: "df6ec81b68"
 #Name of database user to create
 db_user: "INSERT HERE"
 #Password for the database user
-db_user_password: "INSERT HERE"
+db_user_password: "INSERT HERE"
+#Specifies whether or not to keep port 22 opened to allow ssh access
+allow_blockscout_ssh: true
+#Specifies whether or not to keep port 30303 opened to allow peer discovery
+allow_blockscout_p2p: true
+#Specifies whether or not to keep port 4000 opened to allow http access
+allow_blockscout_http: false
--- a/group_vars/blockscout.yml.example
+++ b/group_vars/blockscout.yml.example
@ -6,6 +6,10 @@ home: "/home/{{ username }}"
 install_debug_tools: "no"
 reboot_after_completion: false

-blockscout_version: "master"
+blockscout_version: "df6ec81b68"
 db_user: "blockscout"
 db_user_password: "dvYYTbhdhuuOLMf74ghu"
+
+allow_blockscout_ssh: true
+allow_blockscout_p2p: true
+allow_blockscout_http: false
--- a/roles/blockscout/defaults/main.yml
+++ b/roles/blockscout/defaults/main.yml
@ -4,7 +4,7 @@ user: ubuntu

 allow_blockscout_ssh: true
 allow_blockscout_p2p: true
-allow_blockscout_http: true
+allow_blockscout_http: false

 username: "blockscout"
 users:
@ -18,7 +18,7 @@ reboot_after_completion: false
 install_debug_tools: "no"
 install_firewall: false

-blockscout_version: "master"
+blockscout_version: "df6ec81b68"
 db_user: "blockscout"
 db_user_password: "dvYYTbhdhuuOLMf74ghu"
 PROXY_PORT: "4000"
--- a/roles/blockscout/handlers/main.yml
+++ b/roles/blockscout/handlers/main.yml
@ -1,3 +1,6 @@
 ---
 - name: restart poa-blockscout
  service: name=poa-blockscout state=restarted
+
+- name: restart ufw
+  service: name=ufw state=restarted
--- a/roles/blockscout/tasks/main.yml
+++ b/roles/blockscout/tasks/main.yml
@ -67,3 +67,11 @@

 - name: Ensure poa-blockscout is running and enabled to start at boot
  service: name=poa-blockscout state=started enabled=yes
+
+- name: Setup ufw firewall
+  import_tasks: ufw.yml
+  when: install_firewall
+
+- name: restart machine after setup
+  shell: shutdown -r 1
+  when: reboot_after_completion == true
--- a/roles/blockscout/tasks/ufw.yml
+++ b/roles/blockscout/tasks/ufw.yml
@ -0,0 +1,51 @@
+---
+# to verify ufw configuration run:
+# sudo ufw status verbose
+
+- name: Install ufw
+  package: name=ufw state=present
+
+- name: Clean old rules
+  ufw: state=reset
+
+- name: Configure ufw defaults
+  ufw: direction={{ item.direction }} policy={{ item.policy }}
+  with_items:
+  - { direction: 'incoming', policy: 'deny' }
+  - { direction: 'outgoing', policy: 'allow' }
+  notify:
+  - restart ufw
+
+- name: Add ufw ssh access
+  ufw: rule='allow' port='22' proto='tcp'
+  notify:
+  - restart ufw
+  when: allow_blockscout_ssh == true
+
+- name: Add ufw https access
+  ufw: rule='allow' port='443' proto='tcp'
+  notify:
+  - restart ufw
+
+- name: Add ufw p2p access
+  ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
+  with_items:
+  - { rule: 'allow', port: '30303', proto: 'tcp' }
+  - { rule: 'allow', port: '30303', proto: 'udp' }
+  notify:
+  - restart ufw
+  when: allow_explorer_p2p == true
+
+- name: Add ufw http-4000 access
+  ufw: rule='allow' port='4000' proto='tcp'
+  notify:
+  - restart ufw
+  when: allow_blockscout_http == true
+
+- name: Enable ufw logging
+  ufw: logging=off
+  notify:
+  - restart ufw
+
+- name: Enable ufw
+  ufw: state=enabled
--- a/roles/blockscout/templates/node.toml.j2
+++ b/roles/blockscout/templates/node.toml.j2
@ -10,6 +10,7 @@ cors=["all"]
 reserved_peers="{{ home }}/bootnodes.txt"
 nat="extip:{{ ansible_host }}"
 port = 30303
+max_peers = 100

 [websockets]
 disable = false
@ -19,9 +20,6 @@ origins = ["all"]
 apis = ["all"]
 hosts = ["all"]

-[ipc]
-disable = true
-
 [ui]
 disable = true