debops.tcpwrappers default variables

Main configuration


Enable or disable configuration of tcpwrappers.

tcpwrappers__enabled: True

Optional list of CIDR hosts which will be allowed to connect to sshd service. Entries are saved in the local facts on remote hosts.

Remember to specify IP address from the remote host point of view. Format: "IP address/netmask", for example:

Note: If you are using debop.ferm role too (or the DebOps playbook),

mind setting ferm__ansible_controllers. An easier way would be to use the debops.sshd role to configure ssh service.

tcpwrappers__ansible_controllers: []

By default debops.tcpwrappers will deny all connections using /etc/hosts.deny file and only allow whitelisted connections in /etc/hosts.allow. Set this variable to False to disable that.

tcpwrappers__deny_all: True

Path of the diverted /etc/hosts.allow file. It will be merged with the rest of the generated configuration files using assemble ansible module. Warning: do not change this variable while the role is enabled.

tcpwrappers__divert_hosts_allow: '/etc/hosts.allow.d/05_debian_hosts.allow'

TCP Wrappers allow lists


List of allow rules for all hosts in the Ansible inventory. See tcpwrappers__allow for more details.

tcpwrappers__allow: []

List of allow rules for hosts in a specific host group. See tcpwrappers__allow for more details.

tcpwrappers__group_allow: []

List of allow rules for specific hosts in the inventory. See tcpwrappers__allow for more details.

tcpwrappers__host_allow: []

List of allow rules specified by other Ansible roles as a dependency. See tcpwrappers__allow for more details.

tcpwrappers__dependent_allow: []

By default allow unrestricted access from localhost.

  - daemon: 'ALL'
    client: [ '', '::1/128' ]
    comment: 'Access from localhost'
    filename: 'allow_localhost'
    weight: '06'