From 8a2111561f311fafcbe7cb33f9596c18b6f8053e Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Thu, 10 Dec 2020 19:23:18 +0100
Subject: [PATCH] Improve PacketFilter role

Replace hards IP with variable
Add a README file
---
 roles/pf/README.md            | 13 +++++++++++++
 roles/pf/defaults/main.yml    |  9 +++++++++
 roles/pf/templates/pf.conf.j2 |  2 +-
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 roles/pf/README.md
 create mode 100644 roles/pf/defaults/main.yml

diff --git a/roles/pf/README.md b/roles/pf/README.md
new file mode 100644
index 0000000..274247e
--- /dev/null
+++ b/roles/pf/README.md
@@ -0,0 +1,13 @@
+# PacketFilter
+  
+Custom configuration of PacketFilter.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+* `pf_trusted_ips` : list of IP trusted for important access (default: all).
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
new file mode 100644
index 0000000..2eb9c6c
--- /dev/null
+++ b/roles/pf/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+
+pf_default_trusted_ips: []
+pf_additional_trusted_ips: []
+# and default to ['0.0.0.0/0'] if the result is still empty
+pf_trusted_ips:
+  "{{ pf_default_trusted_ips | union(pf_additional_trusted_ips)
+  | unique | join(', ')
+  | default(['0.0.0.0/0'], true) }}"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 65ee69b..f75a81e 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -12,7 +12,7 @@ ext_if="{{ ansible_default_ipv4.device }}"
 ###########################
 
 # Evolix
-table <evolix> { 88.179.18.233, 31.170.9.129, 31.170.8.4 }
+table <evolix> { {{ pf_trusted_ips }} }
 
 # Port en entrée
 # 2222 = ssh secondaire