From e2cc2fb38180a35513a3d28aae73e855efa156aa Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Mon, 17 Oct 2022 08:47:09 +0200 Subject: [PATCH] feat: add option to disable firewalld --- defaults/main.yml | 2 + tasks/main.yml | 118 ++++------------------------------------------ tasks/setup.yml | 104 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+), 108 deletions(-) create mode 100644 tasks/setup.yml diff --git a/defaults/main.yml b/defaults/main.yml index 78876a2..54e5540 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- +firewalld_enabled: True + firewalld_default_zone: public firewalld_allow_zone_drifting: False diff --git a/tasks/main.yml b/tasks/main.yml index 928d1e4..5e91a02 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,111 +1,13 @@ --- -- block: - - name: Install packages - package: - name: "{{ item }}" - loop: - - firewalld - - python3-firewall - - - name: Configure firewalld - template: - src: etc/firewalld/firewalld.conf.j2 - dest: /etc/firewalld/firewalld.conf - mode: 0644 - notify: __firewalld_reload - - - name: Configure firewalld ipsets - template: - src: etc/firewalld/ipsets/ipset.xml.j2 - dest: /etc/firewalld/ipsets/{{ item.name }}.xml - mode: 0640 - loop: "{{ __firewalld_ipsets }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active ipsets - find: - paths: /etc/firewalld/ipsets - file_type: file - patterns: "*.xml" - register: __firewalld_ipsets_active - changed_when: False - failed_when: False - - - name: Remove unmanaged ipsets - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) - - - name: Configure firewalld services - template: - src: etc/firewalld/services/service.xml.j2 - dest: /etc/firewalld/services/{{ item.name }}.xml - mode: 0640 - loop: "{{ __firewalld_services }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active services - find: - paths: /etc/firewalld/services - file_type: file - patterns: "*.xml" - register: __firewalld_services_active - changed_when: False - failed_when: False - - - name: Remove unmanaged services - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) - - - name: Configure firewalld zones - template: - src: etc/firewalld/zones/zone.xml.j2 - dest: /etc/firewalld/zones/{{ item.name }}.xml - mode: 0640 - loop: "{{ __firewalld_zones }}" - loop_control: - label: "{{ item.name }}" - notify: __firewalld_reload - - - name: Register active zones - find: - paths: /etc/firewalld/zones - file_type: file - patterns: "*.xml" - register: __firewalld_zones_active - changed_when: False - failed_when: False - - - name: Remove unmanaged zones - file: - path: "{{ item }}" - state: absent - loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" - notify: __firewalld_reload - when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) - - - name: Validate deployed configuration - command: firewall-offline-cmd --check-config - register: __firewalld_check - changed_when: False - failed_when: __firewalld_check.rc != 0 - - - name: Ensure service is up and running - service: - name: firewalld - daemon_reload: True - enabled: True - state: started +- include_tasks: setup.yml + when: firewalld_enabled | bool + +- name: Ensure service has expected state + service: + name: firewalld + daemon_reload: True + enabled: "{{ firewalld_enabled | bool }}" + masked: "{{ not firewalld_enabled | bool }}" + state: "{{ firewalld_enabled | bool | ternary('started', 'stopped', 'started') }}" become: True become_user: root diff --git a/tasks/setup.yml b/tasks/setup.yml new file mode 100644 index 0000000..5e1076a --- /dev/null +++ b/tasks/setup.yml @@ -0,0 +1,104 @@ +--- +- block: + - name: Install packages + package: + name: "{{ item }}" + loop: + - firewalld + - python3-firewall + + - name: Configure firewalld + template: + src: etc/firewalld/firewalld.conf.j2 + dest: /etc/firewalld/firewalld.conf + mode: 0644 + notify: __firewalld_reload + + - name: Configure firewalld ipsets + template: + src: etc/firewalld/ipsets/ipset.xml.j2 + dest: /etc/firewalld/ipsets/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_ipsets }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active ipsets + find: + paths: /etc/firewalld/ipsets + file_type: file + patterns: "*.xml" + register: __firewalld_ipsets_active + changed_when: False + failed_when: False + + - name: Remove unmanaged ipsets + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) + + - name: Configure firewalld services + template: + src: etc/firewalld/services/service.xml.j2 + dest: /etc/firewalld/services/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_services }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active services + find: + paths: /etc/firewalld/services + file_type: file + patterns: "*.xml" + register: __firewalld_services_active + changed_when: False + failed_when: False + + - name: Remove unmanaged services + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) + + - name: Configure firewalld zones + template: + src: etc/firewalld/zones/zone.xml.j2 + dest: /etc/firewalld/zones/{{ item.name }}.xml + mode: 0640 + loop: "{{ __firewalld_zones }}" + loop_control: + label: "{{ item.name }}" + notify: __firewalld_reload + + - name: Register active zones + find: + paths: /etc/firewalld/zones + file_type: file + patterns: "*.xml" + register: __firewalld_zones_active + changed_when: False + failed_when: False + + - name: Remove unmanaged zones + file: + path: "{{ item }}" + state: absent + loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" + notify: __firewalld_reload + when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) + + - name: Validate deployed configuration + command: firewall-offline-cmd --check-config + register: __firewalld_check + changed_when: False + failed_when: __firewalld_check.rc != 0 + become: True + become_user: root