From 97b0225232e975b917b364b9f733d02d6d7e09ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 23:39:50 +0200 Subject: [PATCH] Minifirewall can deal with evomaintenance Each role has to know how to deal with the other. Otherwise, depending on order of execution, the firewall might not allow connections for evomaintenance --- minifirewall/defaults/main.yml | 2 ++ minifirewall/tasks/config.yml | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 2b55884f..02828d66 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -19,3 +19,5 @@ minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] minifirewall_autostart: "no" + +evomaintenance_hosts: [] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 80acf5d0..ea6b1a9e 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -94,6 +94,20 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' register: minifirewall_config_ports +- name: evomaintenance + lineinfile: + dest: /etc/default/minifirewall + line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" + insertafter: "^# EvoMaintenance" + with_items: "{{ evomaintenance_hosts }}" + +- name: remove minifirewall example rule for the evomaintenance + lineinfile: + dest: /etc/default/minifirewall + regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' + state: absent + when: evomaintenance_hosts != [] + - name: restart minifirewall # service: # name: minifirewall