Getting started

Initial configuration

The default configuration implemented by debops.tcpwrappers is focused around whitelisting specific IP addresses, CIDR subnets or other entries. Role will automatically block all incoming connections using /etc/hosts.deny and allow you to specify whitelisted exceptions in /etc/hosts.allow.

To support idempotent configuration of different services, role uses the Ansible assemble module to generate the /etc/hosts.allow file from fragments located in /etc/hosts.allow.d/ directory. Any changes in the /etc/hosts.allow file directly will be lost.

Due to SSH service being crucial for Ansible operation, the role takes care not to block the Ansible Controller host from accessing it using data gathered automatically by debops.core role, or by a separate list of Ansible Controller hosts.

Example inventory

The debops.tcpwrappers role is included by default in the common.yml DebOps playbook. You don't need to configure anything in the inventory to enable it.

Example playbook

debops.tcpwrappers is designed to be used from a playbook or a role as role dependency. Here's an example configuration:

---

- name: Manage TCP Wrappers
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_tcpwrappers' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: tcpwrappers
      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]