From 0f2c09d9e16ff56dc80cc053edd1ab8dc97b16d5 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Wed, 12 Oct 2022 09:59:13 +0200 Subject: [PATCH] feat: add extra vars for ipsets, services and zones --- defaults/main.yml | 3 ++ tasks/main.yml | 111 +++++++++++++++++++++++++++++++++++++++++++++- tasks/setup.yml | 111 ---------------------------------------------- vars/main.yml | 4 ++ 4 files changed, 117 insertions(+), 112 deletions(-) delete mode 100644 tasks/setup.yml create mode 100644 vars/main.yml diff --git a/defaults/main.yml b/defaults/main.yml index bac8b2e..4e57028 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,8 +15,10 @@ firewalld_allow_zone_drifting: False # - 192.168.2.2 # @end firewalld_ipsets: [] +firewalld_ipsets_extra: [] firewalld_services: [] +firewalld_services_extra: [] # @var firewalld_zones:example: > # firewalld_zones: @@ -90,3 +92,4 @@ firewalld_zones: - name: ssh - name: dhcpv6-client - name: cockpit +firewalld_zones_extra: [] diff --git a/tasks/main.yml b/tasks/main.yml index 1f69f7a..928d1e4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,111 @@ --- -- include_tasks: setup.yml +- block: + - name: Install packages + package: + name: "{{ item }}" + loop: + - firewalld + - python3-firewall + + - name: Configure firewalld + template: + src: etc/firewalld/firewalld.conf.j2 + dest: /etc/firewalld/firewalld.conf + mode: 0644 + notify: __firewalld_reload + + - name: Configure firewalld ipsets + template: + src: etc/firewalld/ipsets/ipset.xml.j2 + dest: /etc/firewalld/ipsets/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_ipsets }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active ipsets + find: + paths: /etc/firewalld/ipsets + file_type: file + patterns: "*.xml" + register: __firewalld_ipsets_active + changed_when: False + failed_when: False + + - name: Remove unmanaged ipsets + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) + + - name: Configure firewalld services + template: + src: etc/firewalld/services/service.xml.j2 + dest: /etc/firewalld/services/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_services }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active services + find: + paths: /etc/firewalld/services + file_type: file + patterns: "*.xml" + register: __firewalld_services_active + changed_when: False + failed_when: False + + - name: Remove unmanaged services + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) + + - name: Configure firewalld zones + template: + src: etc/firewalld/zones/zone.xml.j2 + dest: /etc/firewalld/zones/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_zones }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active zones + find: + paths: /etc/firewalld/zones + file_type: file + patterns: "*.xml" + register: __firewalld_zones_active + changed_when: False + failed_when: False + + - name: Remove unmanaged zones + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) + + - name: Validate deployed configuration + command: firewall-offline-cmd --check-config + register: __firewalld_check + changed_when: False + failed_when: __firewalld_check.rc != 0 + + - name: Ensure service is up and running + service: + name: firewalld + daemon_reload: True + enabled: True + state: started + become: True + become_user: root diff --git a/tasks/setup.yml b/tasks/setup.yml deleted file mode 100644 index 074067f..0000000 --- a/tasks/setup.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -- block: - - name: Install packages - package: - name: "{{ item }}" - loop: - - firewalld - - python3-firewall - - - name: Configure firewalld - template: - src: etc/firewalld/firewalld.conf.j2 - dest: /etc/firewalld/firewalld.conf - mode: 0644 - notify: __firewalld_reload - - - name: Configure firewalld ipsets - template: - src: etc/firewalld/ipsets/ipset.xml.j2 - dest: /etc/firewalld/ipsets/{{ item.name }}.xml - mode: 0640 - loop: "{{ firewalld_ipsets }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active ipsets - find: - paths: /etc/firewalld/ipsets - file_type: file - patterns: "*.xml" - register: __firewalld_ipsets_active - changed_when: False - failed_when: False - - - name: Remove unmanaged ipsets - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (firewalld_ipsets | map(attribute='name') | list) - - - name: Configure firewalld services - template: - src: etc/firewalld/services/service.xml.j2 - dest: /etc/firewalld/services/{{ item.name }}.xml - mode: 0640 - loop: "{{ firewalld_services }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active services - find: - paths: /etc/firewalld/services - file_type: file - patterns: "*.xml" - register: __firewalld_services_active - changed_when: False - failed_when: False - - - name: Remove unmanaged services - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (firewalld_services | map(attribute='name') | list) - - - name: Configure firewalld zones - template: - src: etc/firewalld/zones/zone.xml.j2 - dest: /etc/firewalld/zones/{{ item.name }}.xml - mode: 0640 - loop: "{{ firewalld_zones }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active zones - find: - paths: /etc/firewalld/zones - file_type: file - patterns: "*.xml" - register: __firewalld_zones_active - changed_when: False - failed_when: False - - - name: Remove unmanaged zones - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (firewalld_zones | map(attribute='name') | list) - - - name: Validate deployed configuration - command: firewall-offline-cmd --check-config - register: __firewalld_check - changed_when: False - failed_when: __firewalld_check.rc != 0 - - - name: Ensure service is up and running - service: - name: firewalld - daemon_reload: True - enabled: True - state: started - become: True - become_user: root diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..2140939 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,4 @@ +--- +__firewalld_ipsets: "{{ firewalld_ipsets + firewalld_ipsets_extra }}" +__firewalld_services: "{{ firewalld_services + firewalld_services_extra }}" +__firewalld_zones: "{{ firewalld_zones + firewalld_zones_extra }}"