Minifirewall can deal with evomaintenance

Each role has to know how to deal with the other. Otherwise, depending on order of execution, the firewall might not allow connections for evomaintenance
2017-10-07 23:39:50 +02:00 · 2017-10-07 23:39:50 +02:00 · 97b0225232
parent 98c5619721
commit 97b0225232
2 changed files with 16 additions and 0 deletions
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -19,3 +19,5 @@ minifirewall_private_ports_tcp: [5666]
 minifirewall_private_ports_udp: []

 minifirewall_autostart: "no"
+
+evomaintenance_hosts: []
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@ -94,6 +94,20 @@
      SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
  register: minifirewall_config_ports

+- name: evomaintenance
+  lineinfile:
+    dest: /etc/default/minifirewall
+    line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
+    insertafter: "^# EvoMaintenance"
+  with_items: "{{ evomaintenance_hosts }}"
+
+- name: remove minifirewall example rule for the evomaintenance
+  lineinfile:
+    dest: /etc/default/minifirewall
+    regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
+    state: absent
+  when: evomaintenance_hosts != []
+
 - name: restart minifirewall
  # service:
  #   name: minifirewall