debops.tcpwrappers default variables
Main configuration
- tcpwrappers__enabled
Enable or disable configuration of tcpwrappers
.
tcpwrappers__enabled: True
- tcpwrappers__base_packages
List of base APT packages required by TCP Wrappers.
tcpwrappers__base_packages: [ 'libwrap0' ]
- tcpwrappers__packages
List of additional APT packages to install with TCP Wrappers.
tcpwrappers__packages: []
- tcpwrappers__ansible_controllers
Optional list of CIDR hosts which will be allowed to connect to sshd
service. Entries are saved in the local facts on remote hosts.
Remember to specify IP address from the remote host point of view.
Format: "IP address/netmask", for example: 192.168.1.1/32
.
- Note: If you are using
debop.ferm
role too (or the DebOps playbook), mind setting
ferm__ansible_controllers
. An easier way would be to use thedebops.sshd
role to configuressh
service.
tcpwrappers__ansible_controllers: []
- tcpwrappers__deny_all
By default debops.tcpwrappers
will deny all connections using
/etc/hosts.deny
file and only allow whitelisted connections in
/etc/hosts.allow
. Set this variable to False
to disable that.
tcpwrappers__deny_all: True
- tcpwrappers__divert_hosts_allow
Path of the diverted /etc/hosts.allow
file. It will be merged with the
rest of the generated configuration files using assemble
ansible module.
Warning: do not change this variable while the role is enabled.
tcpwrappers__divert_hosts_allow: '/etc/hosts.allow.d/05_debian_hosts.allow'
TCP Wrappers allow lists
- tcpwrappers__allow
List of allow rules for all hosts in the Ansible inventory. See tcpwrappers__allow for more details.
tcpwrappers__allow: []
- tcpwrappers__group_allow
List of allow rules for hosts in a specific host group. See tcpwrappers__allow for more details.
tcpwrappers__group_allow: []
- tcpwrappers__host_allow
List of allow rules for specific hosts in the inventory. See tcpwrappers__allow for more details.
tcpwrappers__host_allow: []
- tcpwrappers__dependent_allow
List of allow rules specified by other Ansible roles as a dependency. See tcpwrappers__allow for more details.
tcpwrappers__dependent_allow: []
- tcpwrappers__localhost_allow
By default allow unrestricted access from localhost
.
tcpwrappers__localhost_allow:
- daemon: 'ALL'
client: [ '127.0.0.0/8', '::1/128' ]
comment: 'Access from localhost'
filename: 'allow_localhost'
weight: '06'