forked from evolix/ansible-roles
minifirewall-tail: role for minifirewall customization with templates
This commit is contained in:
parent
03cc0ecf1d
commit
6a16dcf772
10
minifirewall-tail/README.md
Normal file
10
minifirewall-tail/README.md
Normal file
|
@ -0,0 +1,10 @@
|
|||
# minifirewall-tail
|
||||
|
||||
Compiles a `minifirewall.tail` file based on templates and source it at the end of minifirewall configuration.
|
||||
|
||||
Templates are looked up in that order :
|
||||
1. `{{ playbook_dir}}/templates/minifirewall-tail/{{ inventory_hostname}}`
|
||||
2. `{{ playbook_dir}}/templates/minifirewall-tail/{{ host_group}}` (NB : `host_group` is not a core variable, it must be defined in `group_vars` files.)
|
||||
3. `{{ playbook_dir}}/templates/minifirewall-tail/default`
|
||||
|
||||
If nothing is found, the role falls back to the temlate embedded in the role : `templates/default`
|
19
minifirewall-tail/meta/main.yml
Normal file
19
minifirewall-tail/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Additionla configuration for Minifirewall
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
56
minifirewall-tail/tasks/main.yml
Normal file
56
minifirewall-tail/tasks/main.yml
Normal file
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
- name: Add some rules at the end of minifirewall file
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/default/minifirewall.tail
|
||||
force: yes
|
||||
with_first_found:
|
||||
- files:
|
||||
- "{{ inventory_hostname }}"
|
||||
- "{{ host_group }}"
|
||||
- general
|
||||
paths:
|
||||
- templates/minifirewall-tail
|
||||
- default
|
||||
register: minifirewall_tail_file
|
||||
|
||||
- debug:
|
||||
var: minifirewall_tail_file
|
||||
verbosity: 1
|
||||
|
||||
- name: source minifirewall.tail at the end of the main file
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||
block: . /etc/default/minifirewall.tail
|
||||
insertbefore: EOF
|
||||
register: minifirewall_tail_source
|
||||
|
||||
- debug:
|
||||
var: minifirewall_tail_source
|
||||
verbosity: 1
|
||||
|
||||
- name: Check if minifirewall is running
|
||||
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: minifirewall_is_running
|
||||
|
||||
- debug:
|
||||
var: minifirewall_is_running
|
||||
verbosity: 1
|
||||
|
||||
- name: restart minifirewall
|
||||
# service:
|
||||
# name: minifirewall
|
||||
# state: restarted
|
||||
command: /etc/init.d/minifirewall restart
|
||||
register: minifirewall_init_restart
|
||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
||||
when: minifirewall_is_running.rc == 0 and (minifirewall_tail_file | changed or minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
||||
|
||||
- debug:
|
||||
var: minifirewall_init_restart
|
||||
verbosity: 1
|
3
minifirewall-tail/templates/default
Normal file
3
minifirewall-tail/templates/default
Normal file
|
@ -0,0 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# In this file you can put additional iptables rules
|
Loading…
Reference in a new issue