debops.tcpwrappers default variables

Main configuration

tcpwrappers__enabled

Enable or disable configuration of tcpwrappers.

tcpwrappers__enabled: True
tcpwrappers__base_packages

List of base APT packages required by TCP Wrappers.

tcpwrappers__base_packages: [ 'libwrap0' ]
tcpwrappers__packages

List of additional APT packages to install with TCP Wrappers.

tcpwrappers__packages: []
tcpwrappers__ansible_controllers

Optional list of CIDR hosts which will be allowed to connect to sshd service. Entries are saved in the local facts on remote hosts.

Remember to specify IP address from the remote host point of view. Format: "IP address/netmask", for example: 192.168.1.1/32.

Note: If you are using debop.ferm role too (or the DebOps playbook),

mind setting ferm__ansible_controllers. An easier way would be to use the debops.sshd role to configure ssh service.

tcpwrappers__ansible_controllers: []
tcpwrappers__deny_all

By default debops.tcpwrappers will deny all connections using /etc/hosts.deny file and only allow whitelisted connections in /etc/hosts.allow. Set this variable to False to disable that.

tcpwrappers__deny_all: True
tcpwrappers__divert_hosts_allow

Path of the diverted /etc/hosts.allow file. It will be merged with the rest of the generated configuration files using assemble ansible module. Warning: do not change this variable while the role is enabled.

tcpwrappers__divert_hosts_allow: '/etc/hosts.allow.d/05_debian_hosts.allow'

TCP Wrappers allow lists

tcpwrappers__allow

List of allow rules for all hosts in the Ansible inventory. See tcpwrappers__allow for more details.

tcpwrappers__allow: []
tcpwrappers__group_allow

List of allow rules for hosts in a specific host group. See tcpwrappers__allow for more details.

tcpwrappers__group_allow: []
tcpwrappers__host_allow

List of allow rules for specific hosts in the inventory. See tcpwrappers__allow for more details.

tcpwrappers__host_allow: []
tcpwrappers__dependent_allow

List of allow rules specified by other Ansible roles as a dependency. See tcpwrappers__allow for more details.

tcpwrappers__dependent_allow: []
tcpwrappers__localhost_allow

By default allow unrestricted access from localhost.

tcpwrappers__localhost_allow:
  - daemon: 'ALL'
    client: [ '127.0.0.0/8', '::1/128' ]
    comment: 'Access from localhost'
    filename: 'allow_localhost'
    weight: '06'