ansible: Add ufw to jenkins masters

The jenkins-cli is used to initially configure the Jenkins service.  As
of recent versions, however, anonymous cli access isn't allowed unless
useSecurity is set to false in Jenkins' config.xml.  This opens Jenkins
to the world of course.

By creating some firewall rules, we can just disable nginx, turn of
auth, allow only localhost access to port 8080 and safely make changes using
jenkins-cli.

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/ansible/roles/ansible-jenkins/tasks/jenkins.yml b/ansible/roles/ansible-jenkins/tasks/jenkins.yml
index ac85808f51949144ed09736f31baa62cfae31076..4adb06011447093ef90bad9f0bb19bed4f0b0262 100644 (file)
--- a/ansible/roles/ansible-jenkins/tasks/jenkins.yml
+++ b/ansible/roles/ansible-jenkins/tasks/jenkins.yml
@@ -9,6 +9,10 @@
   tags:
     - letsencrypt
 
+- include: ufw.yml
+  tags:
+    - ufw
+
 - name: Install Jenkins
   apt:
     name: jenkins

diff --git a/ansible/roles/ansible-jenkins/tasks/ufw.yml b/ansible/roles/ansible-jenkins/tasks/ufw.yml
new file mode 100644 (file)
index 0000000..d00daf5
--- /dev/null
+++ b/ansible/roles/ansible-jenkins/tasks/ufw.yml
@@ -0,0 +1,29 @@
+---
+- name: install ufw
+  apt:
+    name: ufw
+    state: latest
+
+- name: only listen to localhost on port 8080
+  ufw:
+    port: 8080
+    src: 127.0.0.1
+    rule: allow
+
+- name: allow custom ssh, http, https, and JNLP slave port
+  ufw:
+    port: "{{ item }}"
+    rule: allow
+  with_items:
+    - 2222
+    - 80
+    - 443
+    - 49187
+
+- name: reload ufw
+  ufw:
+    state: reloaded
+
+- name: start ufw
+  ufw:
+    state: enabled