debops.tcpwrappers default variables¶
Main configuration¶
-
tcpwrappers__enabled
¶
Enable or disable configuration of tcpwrappers
.
tcpwrappers__enabled: True
-
tcpwrappers__base_packages
¶
List of base APT packages required by TCP Wrappers.
tcpwrappers__base_packages: [ 'libwrap0' ]
-
tcpwrappers__packages
¶
List of additional APT packages to install with TCP Wrappers.
tcpwrappers__packages: []
-
tcpwrappers__ansible_controllers
¶
Optional list of CIDR hosts which will be allowed to connect to sshd
service. Entries are saved in the local facts on remote hosts.
Remember to specify IP address from the remote host point of view.
Format: "IP address/netmask", for example: 192.168.1.1/32
.
- Note: If you are using
debop.ferm
role too (or the DebOps playbook), - mind setting
ferm__ansible_controllers
. An easier way would be to use thedebops.sshd
role to configuressh
service.
tcpwrappers__ansible_controllers: []
-
tcpwrappers__deny_all
¶
By default debops.tcpwrappers
will deny all connections using
/etc/hosts.deny
file and only allow whitelisted connections in
/etc/hosts.allow
. Set this variable to False
to disable that.
tcpwrappers__deny_all: True
-
tcpwrappers__divert_hosts_allow
¶
Path of the diverted /etc/hosts.allow
file. It will be merged with the
rest of the generated configuration files using assemble
ansible module.
Warning: do not change this variable while the role is enabled.
tcpwrappers__divert_hosts_allow: '/etc/hosts.allow.d/05_debian_hosts.allow'
TCP Wrappers allow lists¶
-
tcpwrappers__allow
¶
List of allow rules for all hosts in the Ansible inventory. See tcpwrappers__allow for more details.
tcpwrappers__allow: []
-
tcpwrappers__group_allow
¶
List of allow rules for hosts in a specific host group. See tcpwrappers__allow for more details.
tcpwrappers__group_allow: []
-
tcpwrappers__host_allow
¶
List of allow rules for specific hosts in the inventory. See tcpwrappers__allow for more details.
tcpwrappers__host_allow: []
-
tcpwrappers__dependent_allow
¶
List of allow rules specified by other Ansible roles as a dependency. See tcpwrappers__allow for more details.
tcpwrappers__dependent_allow: []
-
tcpwrappers__localhost_allow
¶
By default allow unrestricted access from localhost
.
tcpwrappers__localhost_allow:
- daemon: 'ALL'
client: [ '127.0.0.0/8', '::1/128' ]
comment: 'Access from localhost'
filename: 'allow_localhost'
weight: '06'