forked from evolix/ansible-roles
minifirewall-tail: role for minifirewall customization with templates
This commit is contained in:
parent
03cc0ecf1d
commit
6a16dcf772
10
minifirewall-tail/README.md
Normal file
10
minifirewall-tail/README.md
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# minifirewall-tail
|
||||||
|
|
||||||
|
Compiles a `minifirewall.tail` file based on templates and source it at the end of minifirewall configuration.
|
||||||
|
|
||||||
|
Templates are looked up in that order :
|
||||||
|
1. `{{ playbook_dir}}/templates/minifirewall-tail/{{ inventory_hostname}}`
|
||||||
|
2. `{{ playbook_dir}}/templates/minifirewall-tail/{{ host_group}}` (NB : `host_group` is not a core variable, it must be defined in `group_vars` files.)
|
||||||
|
3. `{{ playbook_dir}}/templates/minifirewall-tail/default`
|
||||||
|
|
||||||
|
If nothing is found, the role falls back to the temlate embedded in the role : `templates/default`
|
19
minifirewall-tail/meta/main.yml
Normal file
19
minifirewall-tail/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Evolix
|
||||||
|
description: Additionla configuration for Minifirewall
|
||||||
|
|
||||||
|
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||||
|
|
||||||
|
license: GPLv2
|
||||||
|
|
||||||
|
min_ansible_version: 2.2
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- jessie
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line.
|
||||||
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
# to this list.
|
56
minifirewall-tail/tasks/main.yml
Normal file
56
minifirewall-tail/tasks/main.yml
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
---
|
||||||
|
- name: Add some rules at the end of minifirewall file
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/default/minifirewall.tail
|
||||||
|
force: yes
|
||||||
|
with_first_found:
|
||||||
|
- files:
|
||||||
|
- "{{ inventory_hostname }}"
|
||||||
|
- "{{ host_group }}"
|
||||||
|
- general
|
||||||
|
paths:
|
||||||
|
- templates/minifirewall-tail
|
||||||
|
- default
|
||||||
|
register: minifirewall_tail_file
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: minifirewall_tail_file
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: source minifirewall.tail at the end of the main file
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/default/minifirewall
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||||
|
block: . /etc/default/minifirewall.tail
|
||||||
|
insertbefore: EOF
|
||||||
|
register: minifirewall_tail_source
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: minifirewall_tail_source
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: Check if minifirewall is running
|
||||||
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: minifirewall_is_running
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: minifirewall_is_running
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: restart minifirewall
|
||||||
|
# service:
|
||||||
|
# name: minifirewall
|
||||||
|
# state: restarted
|
||||||
|
command: /etc/init.d/minifirewall restart
|
||||||
|
register: minifirewall_init_restart
|
||||||
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||||
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
||||||
|
when: minifirewall_is_running.rc == 0 and (minifirewall_tail_file | changed or minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: minifirewall_init_restart
|
||||||
|
verbosity: 1
|
3
minifirewall-tail/templates/default
Normal file
3
minifirewall-tail/templates/default
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# In this file you can put additional iptables rules
|
Loading…
Reference in a new issue