Minifirewall: extend configuration abilities with blocks

minifirewall/README.md

@@ -1,6 +1,6 @@
 # minifirewall
 
-Install minifirewall a simple and versatile local firewall.
+Installation of minifirewall a simple and versatile local firewall.
 
 The firewall is not started by default, but an init script is installed.
 
@@ -16,4 +16,6 @@ Everything is in the `tasks/main.yml` file.
 * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
 * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
 
-Some IP/hosts must be configured or the server will be inaccessible via network.
+The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+**Some IP/hosts must be configured or the server will be inaccessible via network.**

minifirewall/defaults/main.yml

@@ -6,3 +6,12 @@ minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
 minifirewall_trusted_ips: []
 minifirewall_privilegied_ips: []
+
+minifirewall_protected_ports_tcp: [22]
+minifirewall_protected_ports_udp: []
+minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
+minifirewall_public_ports_udp: [53]
+minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
+minifirewall_semipublic_ports_udp: []
+minifirewall_private_ports_tcp: [5666]
+minifirewall_private_ports_udp: []

minifirewall/tasks/config.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Begin marker for IP addresses
+  lineinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
+    insertbefore: '^# Main interface'
+
+- name: End marker for IP addresses
+  lineinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
+    insertafter: '^PRIVILEGIEDIPS='
+
+- name: Configure IP addresses
+  blockinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
+    content: |
+      INT='{{ minifirewall_int }}'
+      IPV6='{{ minifirewall_ipv6 }}'
+      INTLAN='{{ minifirewall_intlan }}'
+      TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
+      PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
+
+
+- name: Begin marker for ports
+  lineinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
+    insertbefore: '^# Protected services'
+
+- name: End marker for ports
+  lineinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
+    insertafter: '^SERVICESUDP3='
+
+- name: Configure ports
+  blockinfile:
+    dest: /etc/default/minifirewall
+    create: no
+    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
+    content: |
+      SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
+      SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
+      SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
+      SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
+      SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
+      SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
+      SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
+      SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'

minifirewall/tasks/install.yml

@@ -0,0 +1,29 @@
+---
+
+- name: clone git repository
+  git:
+    repo: "{{ minifirewall_git_url}}"
+    dest: "{{ minifirewall_checkout_path }}"
+    clone: yes
+
+# WARN: these tasks copy the file if there are not already there
+# They don't update files.
+
+- name: is init script present?
+  stat:
+    path: /etc/init.d/minifirewall
+  register: init_minifirewall
+
+- name: init script is copied
+  command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
+  when: not init_minifirewall.stat.exists
+
+
+- name: is configuration present?
+  stat:
+    path: /etc/default/minifirewall
+  register: default_minifirewall
+
+- name: configuration is copied
+  command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
+  when: not default_minifirewall.stat.exists

minifirewall/tasks/main.yml

@@ -1,42 +1,5 @@
 ---
 
-- name: clone git repository
-  git:
-    repo: "{{ minifirewall_git_url}}"
-    dest: "{{ minifirewall_checkout_path }}"
-    clone: yes
+- include: install.yml
 
-# WARN: these tasks copy the file if there are not already there
-# They don't update files.
-
-- name: is init script present?
-  stat:
-    path: /etc/init.d/minifirewall
-  register: init_minifirewall
-
-- name: init script is copied
-  command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
-  when: not init_minifirewall.stat.exists
-
-
-- name: is configuration present?
-  stat:
-    path: /etc/default/minifirewall
-  register: default_minifirewall
-
-- block:
-  - name: configuration is copied
-    command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
-
-  - name: configuraion is customized
-    replace:
-      dest: /etc/default/minifirewall
-      regexp: '{{ item.regexp }}'
-      replace: '{{ item.replace }}'
-    with_items:
-      - { regexp: "^(INT)='.*'",            replace: "\\1='{{ minifirewall_int }}'" }
-      - { regexp: "^(INTLAN)='.*'",         replace: "\\1='{{ minifirewall_intlan }}'" }
-      - { regexp: "^(IPV6)='.*'",           replace: "\\1='{{ minifirewall_ipv6 }}'" }
-      - { regexp: "^(TRUSTEDIPS)='.*'",     replace: "\\1='{{ minifirewall_trusted_ips | join(' ') }}'" }
-      - { regexp: "^(PRIVILEGIEDIPS)='.*'", replace: "\\1='{{ minifirewall_privilegied_ips | join(' ') }}'" }
-  when: not default_minifirewall.stat.exists
+- include: config.yml