From c5e2ee3a3e5f9329ea65df64cf23ec52920bd9b0 Mon Sep 17 00:00:00 2001
From: Thomas Constans <thomas@opendoor.fr>
Date: Fri, 2 May 2025 17:14:02 +0200
Subject: [PATCH] make it worjk on debian 12, add firewall

---
 tasks/main.yml | 55 +++++++++++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 23 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index d828727..5d4bd80 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,24 +1,38 @@
 ---
 # tasks file for rspamd
 - name: configure repo
-  get_url:
-    url: https://rspamd.com/rpm-stable/centos-7/rspamd.repo
-    dest: /etc/yum.repos.d/rspamd.repo
+  when: ansible_os_family == 'RedHat'
+  block:
+    - ansible.builtin.get_url:
+        url: https://rspamd.com/rpm-stable/centos-7/rspamd.repo
+        dest: /etc/yum.repos.d/rspamd.repo
 
-- name: get repo gpg key
-  rpm_key:
-    key: https://rspamd.com/rpm-stable/gpg.key
-    state: present
+    - ansible.builtin.rpm_key:
+        key: https://rspamd.com/rpm-stable/gpg.key
+        state: present
 
 - name: install rspamd
-  yum:
+  ansible.builtin.package:
     state: present
-    name:
-      - rspamd
-      - redis
+    name: rspamd
+
+- name: open firewall port
+  when: use_ufw
+  community.general.ufw:
+    proto: tcp
+    port: "11332"
+    src: "{{ item.ip}}"
+    comment: "{{ item.comment }}"
+    rule: allow
+  loop:
+    - { ip: 163.172.96.97,  comment: submarine }
+    - { ip: 80.67.185.27,   comment: altc01 }
+    - { ip: 51.15.130.230,  comment: mutine }
+    - { ip: 51.15.99.153,   comment: celestine }
+    - { ip:  51.15.253.78,  comment: cosine }
 
 - name: ensure rspamd listen everywhere
-  lineinfile:
+  ansible.builtin.lineinfile:
     create: true
     path: /etc/rspamd/local.d/proxy-normal.inc
     regex: "^bind_socket = localhost:11332"
@@ -26,19 +40,14 @@
   notify: restart rspamd
 
 - name: binding rspamd to redis
-  template:
-    dest: /etc/rspamd/local.d/redis.conf
-    content: |
-      read_servers = "127.0.0.1,10.0.0.1";
-      write_servers = "127.0.0.1";
+  ansible.builtin.lineinfile:
+    create: true
+    path: /etc/rspamd/local.d/redis.conf
+    line: 'servers: "127.0.0.1"'
   notify: restart rspamd
 
 - name: start service
-  service:
-    name: "{{ item }}"
+  ansible.builtin.service:
+    name: rspamd
     state: started
     enabled: true
-  loop:
-    - redis
-    - rspamd
-