feat: add extra vars for ipsets, services and zones
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2022-10-12 09:59:13 +02:00
parent 20363788ee
commit 0f2c09d9e1
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
4 changed files with 117 additions and 112 deletions

View File

@ -15,8 +15,10 @@ firewalld_allow_zone_drifting: False
# - 192.168.2.2
# @end
firewalld_ipsets: []
firewalld_ipsets_extra: []
firewalld_services: []
firewalld_services_extra: []
# @var firewalld_zones:example: >
# firewalld_zones:
@ -90,3 +92,4 @@ firewalld_zones:
- name: ssh
- name: dhcpv6-client
- name: cockpit
firewalld_zones_extra: []

View File

@ -1,2 +1,111 @@
---
- include_tasks: setup.yml
- block:
- name: Install packages
package:
name: "{{ item }}"
loop:
- firewalld
- python3-firewall
- name: Configure firewalld
template:
src: etc/firewalld/firewalld.conf.j2
dest: /etc/firewalld/firewalld.conf
mode: 0644
notify: __firewalld_reload
- name: Configure firewalld ipsets
template:
src: etc/firewalld/ipsets/ipset.xml.j2
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_ipsets }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active ipsets
find:
paths: /etc/firewalld/ipsets
file_type: file
patterns: "*.xml"
register: __firewalld_ipsets_active
changed_when: False
failed_when: False
- name: Remove unmanaged ipsets
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list)
- name: Configure firewalld services
template:
src: etc/firewalld/services/service.xml.j2
dest: /etc/firewalld/services/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_services }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active services
find:
paths: /etc/firewalld/services
file_type: file
patterns: "*.xml"
register: __firewalld_services_active
changed_when: False
failed_when: False
- name: Remove unmanaged services
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list)
- name: Configure firewalld zones
template:
src: etc/firewalld/zones/zone.xml.j2
dest: /etc/firewalld/zones/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_zones }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active zones
find:
paths: /etc/firewalld/zones
file_type: file
patterns: "*.xml"
register: __firewalld_zones_active
changed_when: False
failed_when: False
- name: Remove unmanaged zones
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list)
- name: Validate deployed configuration
command: firewall-offline-cmd --check-config
register: __firewalld_check
changed_when: False
failed_when: __firewalld_check.rc != 0
- name: Ensure service is up and running
service:
name: firewalld
daemon_reload: True
enabled: True
state: started
become: True
become_user: root

View File

@ -1,111 +0,0 @@
---
- block:
- name: Install packages
package:
name: "{{ item }}"
loop:
- firewalld
- python3-firewall
- name: Configure firewalld
template:
src: etc/firewalld/firewalld.conf.j2
dest: /etc/firewalld/firewalld.conf
mode: 0644
notify: __firewalld_reload
- name: Configure firewalld ipsets
template:
src: etc/firewalld/ipsets/ipset.xml.j2
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
mode: 0640
loop: "{{ firewalld_ipsets }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active ipsets
find:
paths: /etc/firewalld/ipsets
file_type: file
patterns: "*.xml"
register: __firewalld_ipsets_active
changed_when: False
failed_when: False
- name: Remove unmanaged ipsets
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (firewalld_ipsets | map(attribute='name') | list)
- name: Configure firewalld services
template:
src: etc/firewalld/services/service.xml.j2
dest: /etc/firewalld/services/{{ item.name }}.xml
mode: 0640
loop: "{{ firewalld_services }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active services
find:
paths: /etc/firewalld/services
file_type: file
patterns: "*.xml"
register: __firewalld_services_active
changed_when: False
failed_when: False
- name: Remove unmanaged services
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (firewalld_services | map(attribute='name') | list)
- name: Configure firewalld zones
template:
src: etc/firewalld/zones/zone.xml.j2
dest: /etc/firewalld/zones/{{ item.name }}.xml
mode: 0640
loop: "{{ firewalld_zones }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active zones
find:
paths: /etc/firewalld/zones
file_type: file
patterns: "*.xml"
register: __firewalld_zones_active
changed_when: False
failed_when: False
- name: Remove unmanaged zones
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (firewalld_zones | map(attribute='name') | list)
- name: Validate deployed configuration
command: firewall-offline-cmd --check-config
register: __firewalld_check
changed_when: False
failed_when: __firewalld_check.rc != 0
- name: Ensure service is up and running
service:
name: firewalld
daemon_reload: True
enabled: True
state: started
become: True
become_user: root

4
vars/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
__firewalld_ipsets: "{{ firewalld_ipsets + firewalld_ipsets_extra }}"
__firewalld_services: "{{ firewalld_services + firewalld_services_extra }}"
__firewalld_zones: "{{ firewalld_zones + firewalld_zones_extra }}"