feat: add extra vars for ipsets, services and zones
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
20363788ee
commit
0f2c09d9e1
GPG Key ID:
4E692A2EAECC03C0
@ -15,8 +15,10 @@ firewalld_allow_zone_drifting: False
|
||||
# - 192.168.2.2
|
||||
# @end
|
||||
firewalld_ipsets: []
|
||||
firewalld_ipsets_extra: []
|
||||
|
||||
firewalld_services: []
|
||||
firewalld_services_extra: []
|
||||
|
||||
# @var firewalld_zones:example: >
|
||||
# firewalld_zones:
|
||||
@ -90,3 +92,4 @@ firewalld_zones:
|
||||
- name: ssh
|
||||
- name: dhcpv6-client
|
||||
- name: cockpit
|
||||
firewalld_zones_extra: []
|
||||
|
||||
111
tasks/main.yml
111
tasks/main.yml
@ -1,2 +1,111 @@
|
||||
---
|
||||
- include_tasks: setup.yml
|
||||
- block:
|
||||
- name: Install packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- firewalld
|
||||
- python3-firewall
|
||||
|
||||
- name: Configure firewalld
|
||||
template:
|
||||
src: etc/firewalld/firewalld.conf.j2
|
||||
dest: /etc/firewalld/firewalld.conf
|
||||
mode: 0644
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Configure firewalld ipsets
|
||||
template:
|
||||
src: etc/firewalld/ipsets/ipset.xml.j2
|
||||
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ __firewalld_ipsets }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active ipsets
|
||||
find:
|
||||
paths: /etc/firewalld/ipsets
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_ipsets_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged ipsets
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list)
|
||||
|
||||
- name: Configure firewalld services
|
||||
template:
|
||||
src: etc/firewalld/services/service.xml.j2
|
||||
dest: /etc/firewalld/services/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ __firewalld_services }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active services
|
||||
find:
|
||||
paths: /etc/firewalld/services
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_services_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged services
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list)
|
||||
|
||||
- name: Configure firewalld zones
|
||||
template:
|
||||
src: etc/firewalld/zones/zone.xml.j2
|
||||
dest: /etc/firewalld/zones/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ __firewalld_zones }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active zones
|
||||
find:
|
||||
paths: /etc/firewalld/zones
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_zones_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged zones
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list)
|
||||
|
||||
- name: Validate deployed configuration
|
||||
command: firewall-offline-cmd --check-config
|
||||
register: __firewalld_check
|
||||
changed_when: False
|
||||
failed_when: __firewalld_check.rc != 0
|
||||
|
||||
- name: Ensure service is up and running
|
||||
service:
|
||||
name: firewalld
|
||||
daemon_reload: True
|
||||
enabled: True
|
||||
state: started
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
111
tasks/setup.yml
111
tasks/setup.yml
@ -1,111 +0,0 @@
|
||||
---
|
||||
- block:
|
||||
- name: Install packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- firewalld
|
||||
- python3-firewall
|
||||
|
||||
- name: Configure firewalld
|
||||
template:
|
||||
src: etc/firewalld/firewalld.conf.j2
|
||||
dest: /etc/firewalld/firewalld.conf
|
||||
mode: 0644
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Configure firewalld ipsets
|
||||
template:
|
||||
src: etc/firewalld/ipsets/ipset.xml.j2
|
||||
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ firewalld_ipsets }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active ipsets
|
||||
find:
|
||||
paths: /etc/firewalld/ipsets
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_ipsets_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged ipsets
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (firewalld_ipsets | map(attribute='name') | list)
|
||||
|
||||
- name: Configure firewalld services
|
||||
template:
|
||||
src: etc/firewalld/services/service.xml.j2
|
||||
dest: /etc/firewalld/services/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ firewalld_services }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active services
|
||||
find:
|
||||
paths: /etc/firewalld/services
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_services_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged services
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (firewalld_services | map(attribute='name') | list)
|
||||
|
||||
- name: Configure firewalld zones
|
||||
template:
|
||||
src: etc/firewalld/zones/zone.xml.j2
|
||||
dest: /etc/firewalld/zones/{{ item.name }}.xml
|
||||
mode: 0640
|
||||
loop: "{{ firewalld_zones }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
notify: __firewalld_reload
|
||||
|
||||
- name: Register active zones
|
||||
find:
|
||||
paths: /etc/firewalld/zones
|
||||
file_type: file
|
||||
patterns: "*.xml"
|
||||
register: __firewalld_zones_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged zones
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
|
||||
notify: __firewalld_reload
|
||||
when: (item | basename | splitext | first) not in (firewalld_zones | map(attribute='name') | list)
|
||||
|
||||
- name: Validate deployed configuration
|
||||
command: firewall-offline-cmd --check-config
|
||||
register: __firewalld_check
|
||||
changed_when: False
|
||||
failed_when: __firewalld_check.rc != 0
|
||||
|
||||
- name: Ensure service is up and running
|
||||
service:
|
||||
name: firewalld
|
||||
daemon_reload: True
|
||||
enabled: True
|
||||
state: started
|
||||
become: True
|
||||
become_user: root
|
||||
4
vars/main.yml
Normal file
4
vars/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
__firewalld_ipsets: "{{ firewalld_ipsets + firewalld_ipsets_extra }}"
|
||||
__firewalld_services: "{{ firewalld_services + firewalld_services_extra }}"
|
||||
__firewalld_zones: "{{ firewalld_zones + firewalld_zones_extra }}"
|
||||
Loading…
Reference in New Issue
Block a user