Update MC role to support allowed IPs

theandrew168 · Feb 10, 2024 · 9aa7469 · 9aa7469
1 parent 1c2ef37
commit 9aa7469
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/group_vars/minecraft.yml b/group_vars/minecraft.yml
@@ -26,8 +26,33 @@ minecraft_config: |
 
 minecraft_users: !vault |
   $ANSIBLE_VAULT;1.1;AES256
-  34363030643366343235346334333233386139383432653432663662646636343633666136313561
-  6364336139356562353635316661313632353531393566360a323165623733306339636532616264
-  30656334326466633232633262386439346230653466303962393538306137373430366162643739
-  3361643666663230630a393336643963323261656133363261663464653464386563323961363062
-  6438
+  32346430373261363766613536303262306633343536646634333536643731653236363039336637
+  3332333035623031336366623339633233373832643834660a653634633262373463396664366432
+  30666139326131663138363666303936393430653132376134393834363230333439376264313033
+  6333386534613162620a623135363432396561353262373938333466363764633563663861653936
+  65613462333232663561633565656331343339303538633937653334663730373264303263313532
+  36303466353765666532306662383034663033636565353261303962373736323438313936363066
+  313861343266363234353132366434373965
+
+minecraft_allowed_ips:
+  - !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    38663466373739323238376336393764626538623061366262303165306435396662303765353666
+    6631616331613933613966316532353736613139376334300a396438353934636639373738366437
+    38653136656239353437313836343432393039373936333533643863373765656430623435396434
+    3134636435383334660a343866363634353133323963303732303434363139653939656162653437
+    6265
+  - !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    34623537353539666166613137353666663433663130336634393763353731343466383436346266
+    3464663536613564656562313936326332646634666363370a376462643137646461343033396532
+    64643761386565623133323936633539323439303739636634353235363038636437326338616231
+    6363366433353933630a663261653461386565373466353666663539393737376634666332646261
+    6431
+  - !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    32353739666335633365373961363034383535636130396563373565393364643830326236333036
+    6364383533376630386662383734363566646632393465370a623161306166333138636633386164
+    64323235353362633066376365666533386331363134383537326364323630346366326633636565
+    3037333331643533330a643934616135313636626630393331643865326563663161623538326635
+    3237
diff --git a/roles/minecraft/README.md b/roles/minecraft/README.md
@@ -12,3 +12,4 @@ Beta 1.7.3 server.properties [reference](https://old.reddit.com/r/GoldenAgeMinec
 | `minecraft_jvm_opts` | `~` | Minecraft server JVM options |
 | `minecraft_config` | `~` | Config file contents (server.properties) |
 | `minecraft_users` | `~` | Allowed users (by Mojang/Microsoft username) |
+| `minecraft_allowed_ips` | `[]` | Allowed IP addresses / ranges (allow all if empty) |
diff --git a/roles/minecraft/defaults/main.yml b/roles/minecraft/defaults/main.yml
@@ -17,3 +17,6 @@ minecraft_config: ~
 
 # Allowed users (by Mojang/Microsoft username)
 minecraft_users: ~
+
+# Allowed IP addresses / ranges (allow all if empty)
+minecraft_allowed_ips: []
diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml
@@ -57,12 +57,23 @@
   become: yes
   become_user: root
 
-# Without this, no connections will be allowed since all ports are closed by default.
-- name: Limit login attempts
+- name: Limit login attempts (all IP addresses)
   ufw:
     rule: limit
     port: "25565"
     proto: tcp
+  when: not minecraft_allowed_ips
+  become: yes
+  become_user: root
+
+- name: Limit login attempts (allowed IP addresses)
+  ufw:
+    rule: limit
+    src: "{{ item }}"
+    port: "25565"
+    proto: tcp
+  with_items: "{{ minecraft_allowed_ips }}"
+  no_log: yes
   become: yes
   become_user: root