From dbe8978987eab868abfc20e3a37b80660045bf66 Mon Sep 17 00:00:00 2001
From: Gregor Michels <hirnpfirsich@brainpeach.de>
Date: Tue, 28 Jun 2022 00:11:01 +0200
Subject: [PATCH] add vm eap-adp-jump01

with a basic playbook for configuration
---
 files/pf.conf                         | 27 +++++++++++++++++++++++
 inventory                             |  3 +++
 playbook_provision_eap-adp-jump01.yml | 31 +++++++++++++++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 files/pf.conf
 create mode 100644 playbook_provision_eap-adp-jump01.yml

diff --git a/files/pf.conf b/files/pf.conf
new file mode 100644
index 0000000..64c00fa
--- /dev/null
+++ b/files/pf.conf
@@ -0,0 +1,27 @@
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+
+set skip on lo
+
+block return	# block stateless traffic
+
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+# allow outgoing tcp, udp and icmp
+pass out proto { tcp, udp } from self to any
+pass out inet  proto icmp  from self to any
+pass out inet6 proto icmp6 from self to any
+
+# allow incoming icmp
+pass in inet  proto icmp  from any to self
+pass in inet6 proto icmp6 from any to self
+
+# allow incoming ssh
+pass in proto tcp from any to self port ssh
+
+include "/etc/pf.include.conf"
diff --git a/inventory b/inventory
index 48c8e29..94b77f0 100644
--- a/inventory
+++ b/inventory
@@ -22,3 +22,6 @@ gw-core01 ip=192.168.10.45
 
 [server]
 hyper01 ip=10.84.1.21 
+
+[vms]
+eae-adp-jump01 ip=162.55.53.85 ansible_python_interpreter=/usr/local/bin/python3
diff --git a/playbook_provision_eap-adp-jump01.yml b/playbook_provision_eap-adp-jump01.yml
new file mode 100644
index 0000000..b3e6e6a
--- /dev/null
+++ b/playbook_provision_eap-adp-jump01.yml
@@ -0,0 +1,31 @@
+---
+- name: provision eap-adp-jump01
+  hosts: eae-adp-jump01
+  tasks:
+    - name: create /etc/pf.include.conf
+      file:
+        path: /etc/pf.include.conf
+        state: touch
+        mode: 0600
+        access_time: preserve
+
+    - name: basic firewall configuration
+      copy:
+        src: files/pf.conf
+        dest: /etc/pf.conf
+        validate: "/sbin/pfctl -vnf %s"
+      notify:
+        - reload firewall
+
+    - name: activate routing
+      blockinfile:
+        content: |
+          net.inet.ip.forwarding=0
+          net.inet6.ip6.forwarding=0
+        path: /etc/sysctl.conf
+        mode: 0600
+        create: yes
+
+  handlers:
+    - name: reload firewall
+      command: pfctl -vf /etc/pf.conf