diff --git a/.later.yml b/.later.yml deleted file mode 100644 index 2703cb9..0000000 --- a/.later.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -ansible: - custom_modules: - - iptables_raw - - openssl_pkcs12 - - proxmox_kvm - - ucr - - corenetworks_dns - - corenetworks_token - -rules: - exclude_files: - - "LICENSE*" - - "**/*.md" - - "**/*.ini" diff --git a/.woodpecker/docs.yaml b/.woodpecker/docs.yaml index f053ca8..857444b 100644 --- a/.woodpecker/docs.yaml +++ b/.woodpecker/docs.yaml @@ -9,11 +9,11 @@ steps: - name: generate image: quay.io/thegeeklab/ansible-doctor environment: - ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/ - ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true" - ANSIBLE_DOCTOR_LOG_LEVEL: INFO - ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME} - ANSIBLE_DOCTOR_TEMPLATE: readme + ANSIBLE_DOCTOR_EXCLUDE_FILES: "['molecule/']" + ANSIBLE_DOCTOR_RENDERER__FORCE_OVERWRITE: "true" + ANSIBLE_DOCTOR_LOGGING__LEVEL: info + ANSIBLE_DOCTOR_ROLE__NAME: ${CI_REPO_NAME} + ANSIBLE_DOCTOR_TEMPLATE__NAME: readme - name: format image: quay.io/thegeeklab/alpine-tools diff --git a/.woodpecker/lint.yaml b/.woodpecker/lint.yaml index 36b1ec8..c48a8e4 100644 --- a/.woodpecker/lint.yaml +++ b/.woodpecker/lint.yaml @@ -6,10 +6,10 @@ when: - ${CI_REPO_DEFAULT_BRANCH} steps: - - name: ansible-later - image: quay.io/thegeeklab/ansible-later:4 + - name: ansible-lint + image: quay.io/thegeeklab/ansible-dev-tools:1 commands: - - ansible-later + - ansible-lint environment: FORCE_COLOR: "1" diff --git a/.woodpecker/test.yaml b/.woodpecker/test.yaml index 256ad91..661dc8b 100644 --- a/.woodpecker/test.yaml +++ b/.woodpecker/test.yaml @@ -7,7 +7,7 @@ when: variables: - &molecule_base - image: quay.io/thegeeklab/molecule:6 + image: quay.io/thegeeklab/ansible-dev-tools:1 group: molecule environment: PY_COLORS: "1" diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..df1d39e --- /dev/null +++ b/.yamllint @@ -0,0 +1,20 @@ +--- +extends: default + +rules: + truthy: + allowed-values: ["True", "False"] + comments: + min-spaces-from-content: 1 + comments-indentation: False + line-length: disable + braces: + min-spaces-inside: 0 + max-spaces-inside: 1 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 0 + indentation: enable + octal-values: + forbid-implicit-octal: True + forbid-explicit-octal: True diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ab79b9f..37d75f9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -4,11 +4,11 @@ driver: dependency: name: galaxy options: - role-file: molecule/requirements.yml - requirements-file: molecule/requirements.yml + role-file: requirements.yml + requirements-file: requirements.yml platforms: - name: "rocky9-firewalld" - server_type: "CX22" + server_type: "cx22" image: "rocky-9" provisioner: name: ansible diff --git a/molecule/requirements.yml b/requirements.yml similarity index 100% rename from molecule/requirements.yml rename to requirements.yml diff --git a/tasks/firewalld.yml b/tasks/firewalld.yml new file mode 100644 index 0000000..2f774cd --- /dev/null +++ b/tasks/firewalld.yml @@ -0,0 +1,104 @@ +--- +- name: Install packages + ansible.builtin.package: + name: "{{ item }}" + loop: + - firewalld + - python3-firewall + +- name: Configure firewalld + ansible.builtin.template: + src: etc/firewalld/firewalld.conf.j2 + dest: /etc/firewalld/firewalld.conf + mode: "0644" + notify: __firewalld_reload + +- name: Configure firewalld ipsets + ansible.builtin.template: + src: etc/firewalld/ipsets/ipset.xml.j2 + dest: /etc/firewalld/ipsets/{{ item.name }}.xml + mode: "0640" + loop: "{{ __firewalld_ipsets }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + +- name: Register active ipsets + ansible.builtin.find: + paths: /etc/firewalld/ipsets + file_type: file + patterns: "*.xml" + register: __firewalld_ipsets_active + changed_when: False + failed_when: False + +- name: Remove unmanaged ipsets + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) + +- name: Configure firewalld services + ansible.builtin.template: + src: etc/firewalld/services/service.xml.j2 + dest: /etc/firewalld/services/{{ item.name }}.xml + mode: "0640" + loop: "{{ __firewalld_services }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + +- name: Register active services + ansible.builtin.find: + paths: /etc/firewalld/services + file_type: file + patterns: "*.xml" + register: __firewalld_services_active + changed_when: False + failed_when: False + +- name: Remove unmanaged services + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) + +- name: Configure firewalld zones + ansible.builtin.template: + src: etc/firewalld/zones/zone.xml.j2 + dest: /etc/firewalld/zones/{{ item.name }}.xml + mode: "0640" + loop: "{{ __firewalld_zones }}" + loop_control: + label: "{{ item.name }}" + when: item.name not in firewalld_zones_unmanaged + notify: __firewalld_reload + +- name: Register active zones + ansible.builtin.find: + paths: /etc/firewalld/zones + file_type: file + patterns: "*.xml" + register: __firewalld_zones_active + changed_when: False + failed_when: False + +- name: Remove unmanaged zones + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: + - (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) + - (item | basename | splitext | first) not in firewalld_zones_unmanaged + +- name: Validate deployed configuration + ansible.builtin.command: firewall-offline-cmd --check-config + register: __firewalld_check + changed_when: False + failed_when: __firewalld_check.rc != 0 diff --git a/tasks/main.yml b/tasks/main.yml index fbc366b..699b5c1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,109 +1,7 @@ --- -- when: firewalld_enabled | bool - block: - - name: Install packages - ansible.builtin.package: - name: "{{ item }}" - loop: - - firewalld - - python3-firewall - - - name: Configure firewalld - ansible.builtin.template: - src: etc/firewalld/firewalld.conf.j2 - dest: /etc/firewalld/firewalld.conf - mode: "0644" - notify: __firewalld_reload - - - name: Configure firewalld ipsets - ansible.builtin.template: - src: etc/firewalld/ipsets/ipset.xml.j2 - dest: /etc/firewalld/ipsets/{{ item.name }}.xml - mode: "0640" - loop: "{{ __firewalld_ipsets }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active ipsets - ansible.builtin.find: - paths: /etc/firewalld/ipsets - file_type: file - patterns: "*.xml" - register: __firewalld_ipsets_active - changed_when: False - failed_when: False - - - name: Remove unmanaged ipsets - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) - - - name: Configure firewalld services - ansible.builtin.template: - src: etc/firewalld/services/service.xml.j2 - dest: /etc/firewalld/services/{{ item.name }}.xml - mode: "0640" - loop: "{{ __firewalld_services }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active services - ansible.builtin.find: - paths: /etc/firewalld/services - file_type: file - patterns: "*.xml" - register: __firewalld_services_active - changed_when: False - failed_when: False - - - name: Remove unmanaged services - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) - - - name: Configure firewalld zones - ansible.builtin.template: - src: etc/firewalld/zones/zone.xml.j2 - dest: /etc/firewalld/zones/{{ item.name }}.xml - mode: "0640" - loop: "{{ __firewalld_zones }}" - loop_control: - label: "{{ item.name }}" - when: item.name not in firewalld_zones_unmanaged - notify: __firewalld_reload - - - name: Register active zones - ansible.builtin.find: - paths: /etc/firewalld/zones - file_type: file - patterns: "*.xml" - register: __firewalld_zones_active - changed_when: False - failed_when: False - - - name: Remove unmanaged zones - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: - - (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) - - (item | basename | splitext | first) not in firewalld_zones_unmanaged - - - name: Validate deployed configuration - ansible.builtin.command: firewall-offline-cmd --check-config - register: __firewalld_check - changed_when: False - failed_when: __firewalld_check.rc != 0 +- name: Configure firewalld + ansible.builtin.include_tasks: firewalld.yml + when: firewalld_enabled | bool - name: Ensure service has expected state ansible.builtin.service: