ansible/xoxys.firewalld
0
0
Fork 0
Code Issues Pull Requests Releases Activity

feat: add option to disable firewalld
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Robert Kaussow 2022-10-17 08:47:09 +02:00
parent a73eaafafe
commit e2cc2fb381
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
3 changed files with 115 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -1,4 +1,6 @@
--- ---
firewalld_enabled: True
firewalld_default_zone: public firewalld_default_zone: public
firewalld_allow_zone_drifting: False firewalld_allow_zone_drifting: False

116
tasks/main.yml
View File

@ -1,111 +1,13 @@
--- ---
- block: - include_tasks: setup.yml
- name: Install packages when: firewalld_enabled | bool
package:
name: "{{ item }}"
loop:
- firewalld
- python3-firewall
- name: Configure firewalld - name: Ensure service has expected state
template: service:
src: etc/firewalld/firewalld.conf.j2 name: firewalld
dest: /etc/firewalld/firewalld.conf daemon_reload: True
mode: 0644 enabled: "{{ firewalld_enabled | bool }}"
notify: __firewalld_reload masked: "{{ not firewalld_enabled | bool }}"
state: "{{ firewalld_enabled | bool | ternary('started', 'stopped', 'started') }}"
- name: Configure firewalld ipsets
template:
src: etc/firewalld/ipsets/ipset.xml.j2
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_ipsets }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active ipsets
find:
paths: /etc/firewalld/ipsets
file_type: file
patterns: "*.xml"
register: __firewalld_ipsets_active
changed_when: False
failed_when: False
- name: Remove unmanaged ipsets
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list)
- name: Configure firewalld services
template:
src: etc/firewalld/services/service.xml.j2
dest: /etc/firewalld/services/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_services }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active services
find:
paths: /etc/firewalld/services
file_type: file
patterns: "*.xml"
register: __firewalld_services_active
changed_when: False
failed_when: False
- name: Remove unmanaged services
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list)
- name: Configure firewalld zones
template:
src: etc/firewalld/zones/zone.xml.j2
dest: /etc/firewalld/zones/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_zones }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active zones
find:
paths: /etc/firewalld/zones
file_type: file
patterns: "*.xml"
register: __firewalld_zones_active
changed_when: False
failed_when: False
- name: Remove unmanaged zones
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list)
- name: Validate deployed configuration
command: firewall-offline-cmd --check-config
register: __firewalld_check
changed_when: False
failed_when: __firewalld_check.rc != 0
- name: Ensure service is up and running
service:
name: firewalld
daemon_reload: True
enabled: True
state: started
become: True become: True
become_user: root become_user: root

104
tasks/setup.yml Normal file
View File

@ -0,0 +1,104 @@
---
- block:
- name: Install packages
package:
name: "{{ item }}"
loop:
- firewalld
- python3-firewall
- name: Configure firewalld
template:
src: etc/firewalld/firewalld.conf.j2
dest: /etc/firewalld/firewalld.conf
mode: 0644
notify: __firewalld_reload
- name: Configure firewalld ipsets
template:
src: etc/firewalld/ipsets/ipset.xml.j2
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_ipsets }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active ipsets
find:
paths: /etc/firewalld/ipsets
file_type: file
patterns: "*.xml"
register: __firewalld_ipsets_active
changed_when: False
failed_when: False
- name: Remove unmanaged ipsets
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list)
- name: Configure firewalld services
template:
src: etc/firewalld/services/service.xml.j2
dest: /etc/firewalld/services/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_services }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active services
find:
paths: /etc/firewalld/services
file_type: file
patterns: "*.xml"
register: __firewalld_services_active
changed_when: False
failed_when: False
- name: Remove unmanaged services
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list)
- name: Configure firewalld zones
template:
src: etc/firewalld/zones/zone.xml.j2
dest: /etc/firewalld/zones/{{ item.name }}.xml
mode: 0640
loop: "{{ __firewalld_zones }}"
loop_control:
label: "{{ item.name }}"
notify: __firewalld_reload
- name: Register active zones
find:
paths: /etc/firewalld/zones
file_type: file
patterns: "*.xml"
register: __firewalld_zones_active
changed_when: False
failed_when: False
- name: Remove unmanaged zones
file:
path: "{{ item }}"
state: absent
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
notify: __firewalld_reload
when: (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list)
- name: Validate deployed configuration
command: firewall-offline-cmd --check-config
register: __firewalld_check
changed_when: False
failed_when: __firewalld_check.rc != 0
become: True
become_user: root