more flexible iptables handling
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2019-02-13 00:10:26 +01:00
parent a3cc643adf
commit f62f155237
2 changed files with 20 additions and 3 deletions

View File

@ -11,7 +11,19 @@ cups_listen_address: print.example.org
cups_log_level: warn
cups_server_admin: admin@example.com
cups_iptables_enabled: False
cups_open_ports:
- name: allow_cups_ipp
rules: |
-A INPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
-A OUTPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
state: present
- name: allow_cups_dnssd
rules: |
-A OUTPUT -m state --state NEW -p tcp --dport 5353 -j ACCEPT
-A OUTPUT -m state --state NEW -p udp --dport 5353 -j ACCEPT
state: present
cups_tls_cert_source: mycert.pem
cups_tls_key_source: mykey.pem

View File

@ -30,9 +30,14 @@
- name: Open ports in iptables
iptables_raw:
name: allow_cups
state: present
rules: '-A INPUT -m state --state NEW -p tcp --dport {{ cups_nginx_proxy_url.split(":")[1] }} -j ACCEPT'
name: "{{ item.name }}"
rules: "{{ item.rules }}"
state: "{{ item.state }}"
weight: "{{ item.weight | default(omit) }}"
table: "{{ item.table | default(omit) }}"
loop: "{{ cups_open_ports }}"
loop_control:
label: "{{ item.name }}"
when: cups_iptables_enabled
become: True
become_user: root