Minifirewall: extend configuration abilities with blocks

2017-01-06 15:50:48 +01:00 · 2017-01-06 15:50:48 +01:00 · 9570efcaed
parent 7634830bbc
commit 9570efcaed
5 changed files with 101 additions and 41 deletions
--- a/minifirewall/README.md
+++ b/minifirewall/README.md
@ -1,6 +1,6 @@
 # minifirewall
-Install minifirewall a simple and versatile local firewall.
+Installation of minifirewall a simple and versatile local firewall.
 The firewall is not started by default, but an init script is installed.
@ -16,4 +16,6 @@ Everything is in the `tasks/main.yml` file.
 * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
 * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
-Some IP/hosts must be configured or the server will be inaccessible via network.
+The full list of variables (with default values) can be found in `defaults/main.yml`.
 **Some IP/hosts must be configured or the server will be inaccessible via network.**
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -6,3 +6,12 @@ minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
 minifirewall_trusted_ips: []
 minifirewall_privilegied_ips: []
 minifirewall_protected_ports_tcp: [22]
 minifirewall_protected_ports_udp: []
 minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
 minifirewall_public_ports_udp: [53]
 minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
 minifirewall_semipublic_ports_udp: []
 minifirewall_private_ports_tcp: [5666]
 minifirewall_private_ports_udp: []
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@ -0,0 +1,57 @@
 ---
 - name: Begin marker for IP addresses
  lineinfile:
    dest: /etc/default/minifirewall
    create: no
    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
    insertbefore: '^# Main interface'
 - name: End marker for IP addresses
  lineinfile:
    dest: /etc/default/minifirewall
    create: no
    line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
    insertafter: '^PRIVILEGIEDIPS='
 - name: Configure IP addresses
  blockinfile:
    dest: /etc/default/minifirewall
    create: no
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
    content: |
      INT='{{ minifirewall_int }}'
      IPV6='{{ minifirewall_ipv6 }}'
      INTLAN='{{ minifirewall_intlan }}'
      TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
      PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
 - name: Begin marker for ports
  lineinfile:
    dest: /etc/default/minifirewall
    create: no
    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
    insertbefore: '^# Protected services'
 - name: End marker for ports
  lineinfile:
    dest: /etc/default/minifirewall
    create: no
    line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
    insertafter: '^SERVICESUDP3='
 - name: Configure ports
  blockinfile:
    dest: /etc/default/minifirewall
    create: no
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
    content: |
      SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
      SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
      SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
      SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
      SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
      SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
      SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
      SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
--- a/minifirewall/tasks/install.yml
+++ b/minifirewall/tasks/install.yml
@ -0,0 +1,29 @@
 ---
 - name: clone git repository
  git:
    repo: "{{ minifirewall_git_url}}"
    dest: "{{ minifirewall_checkout_path }}"
    clone: yes
 # WARN: these tasks copy the file if there are not already there
 # They don't update files.
 - name: is init script present?
  stat:
    path: /etc/init.d/minifirewall
  register: init_minifirewall
 - name: init script is copied
  command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
  when: not init_minifirewall.stat.exists
 - name: is configuration present?
  stat:
    path: /etc/default/minifirewall
  register: default_minifirewall
 - name: configuration is copied
  command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
  when: not default_minifirewall.stat.exists
--- a/minifirewall/tasks/main.yml
+++ b/minifirewall/tasks/main.yml
@ -1,42 +1,5 @@
 ---
- name: clone git repository
+- include: install.yml
  git:
    repo: "{{ minifirewall_git_url}}"
    dest: "{{ minifirewall_checkout_path }}"
    clone: yes
-# WARN: these tasks copy the file if there are not already there
+- include: config.yml
 # They don't update files.
 - name: is init script present?
  stat:
    path: /etc/init.d/minifirewall
  register: init_minifirewall
 - name: init script is copied
  command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall"
  when: not init_minifirewall.stat.exists
 - name: is configuration present?
  stat:
    path: /etc/default/minifirewall
  register: default_minifirewall
 - block:
  - name: configuration is copied
    command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall"
  - name: configuraion is customized
    replace:
      dest: /etc/default/minifirewall
      regexp: '{{ item.regexp }}'
      replace: '{{ item.replace }}'
    with_items:
      - { regexp: "^(INT)='.*'",            replace: "\\1='{{ minifirewall_int }}'" }
      - { regexp: "^(INTLAN)='.*'",         replace: "\\1='{{ minifirewall_intlan }}'" }
      - { regexp: "^(IPV6)='.*'",           replace: "\\1='{{ minifirewall_ipv6 }}'" }
      - { regexp: "^(TRUSTEDIPS)='.*'",     replace: "\\1='{{ minifirewall_trusted_ips | join(' ') }}'" }
      - { regexp: "^(PRIVILEGIEDIPS)='.*'", replace: "\\1='{{ minifirewall_privilegied_ips | join(' ') }}'" }
  when: not default_minifirewall.stat.exists