Added Archlinux support for firewall role

novateams · Feb 21, 2024 · 2287663 · 2287663
1 parent 5dbed11
commit 2287663
Show file tree

Hide file tree

Showing 4 changed files with 86 additions and 75 deletions.
diff --git a/nova/core/roles/firewall/handlers/main.yml b/nova/core/roles/firewall/handlers/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Restarting nftables...
+  ansible.builtin.systemd:
+    name: nftables.service
+    state: restarted
+    enabled: true
+    daemon_reload: true
+
+- name: Restarting Docker...
+  ansible.builtin.systemd:
+    name: docker.service
+    state: restarted
+
+- name: Rebooting...
+  ansible.builtin.reboot:
+  when: ansible_os_family == "Archlinux" # For some reason nftables does not work without a reboot on Archlinux
diff --git a/nova/core/roles/firewall/tasks/iptables.yml b/nova/core/roles/firewall/tasks/iptables.yml
@@ -1,77 +1,81 @@
 ---
 - name: Removing nftables...
-  ansible.builtin.apt:
+  ansible.builtin.package:
     name: nftables
     state: absent
 
 - name: Installing iptables...
-  ansible.builtin.apt:
-    name:
-      - iptables
-      - iptables-persistent
+  ansible.builtin.package:
+    name: iptables
     state: present
     update_cache: true
-  register: firewall_dependencies_install
-  until: not firewall_dependencies_install.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed
+  register: iptables_install
+  until: not iptables_install.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed
   retries: 10
   delay: 6
 
-- name: Enabling netfilter-persistent service...
-  ansible.builtin.service:
-    name: netfilter-persistent
-    enabled: true
-
 - name: Creating iptables directory...
   ansible.builtin.file:
     path: /etc/iptables
     state: directory
     mode: "0755"
 
-- name: Templating iptables IPv4 rules...
-  ansible.builtin.template:
-    src: "{{ ipv4_template_file }}"
-    dest: /etc/iptables/rules.v4
-    lstrip_blocks: true
-    mode: "0644"
-  register: ipv4_rules_result
+- name: Installing and configuring iptables for Debian based OS...
+  when: ansible_os_family == "Debian"
+  block:
+    - name: Installing iptables-persistent...
+      ansible.builtin.package:
+        name:
+          - iptables-persistent
+        state: present
+      register: iptables_persistent_isntall
+      until: not iptables_persistent_isntall.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed
+      retries: 10
+      delay: 6
 
-- name: Templating iptables IPv6 rules...
-  ansible.builtin.template:
-    src: "{{ ipv6_template_file }}"
-    dest: /etc/iptables/rules.v6
-    lstrip_blocks: true
-    mode: "0644"
-  register: ipv6_rules_result
+    - name: Enabling netfilter-persistent service...
+      ansible.builtin.service:
+        name: netfilter-persistent
+        enabled: true
 
-- name: Restoring iptables IPv4 rules, if required...
-  ansible.builtin.shell: iptables-restore </etc/iptables/rules.v4
-  changed_when: true
-  when: ipv4_rules_result.changed
+    - name: Templating iptables IPv4 rules...
+      ansible.builtin.template:
+        src: "{{ ipv4_template_file }}"
+        dest: /etc/iptables/rules.v4
+        lstrip_blocks: true
+        mode: "0644"
+      register: ipv4_rules_result
 
-- name: Restoring iptables IPv6 rules, if required...
-  ansible.builtin.shell: ip6tables-restore </etc/iptables/rules.v6
-  changed_when: true
-  when: ipv6_rules_result.changed
+    - name: Templating iptables IPv6 rules...
+      ansible.builtin.template:
+        src: "{{ ipv6_template_file }}"
+        dest: /etc/iptables/rules.v6
+        lstrip_blocks: true
+        mode: "0644"
+      register: ipv6_rules_result
 
-- name: Starting & enabling iptables...
-  ansible.builtin.systemd:
-    name: iptables.service
-    state: started
-    enabled: true
-    daemon_reload: true
+    - name: Restoring iptables IPv4 rules, if required...
+      ansible.builtin.shell: iptables-restore </etc/iptables/rules.v4
+      changed_when: true
+      when: ipv4_rules_result.changed
 
-- name: Restarting iptables & required services...
-  when: ipv4_rules_result.changed or ipv6_rules_result.changed
-  block:
-    - name: Checking if Docker service exists...
-      ansible.builtin.systemd:
-        name: docker.service
-      register: docker_service_exists
+    - name: Restoring iptables IPv6 rules, if required...
+      ansible.builtin.shell: ip6tables-restore </etc/iptables/rules.v6
+      changed_when: true
+      when: ipv6_rules_result.changed
 
-    # This part is required to make sure automatic Docker IPTables rules get re-populated
-    - name: Restarting Docker service...
+    - name: Starting & enabling iptables...
       ansible.builtin.systemd:
-        name: docker.service
-        state: restarted
+        name: iptables.service
+        state: started
         enabled: true
-      when: docker_service_exists.status.LoadState != "not-found"
+        daemon_reload: true
+
+# This is required to make sure automatic Docker IPTables rules get re-populated
+- name: Checking if Docker service exists...
+  ansible.builtin.systemd:
+    name: docker.service
+  register: docker_service_exists
+  changed_when: docker_service_exists.status.LoadState != "not-found"
+  notify: Restarting Docker...
+  when: ipv4_rules_result.changed or ipv6_rules_result.changed
diff --git a/nova/core/roles/firewall/tasks/main.yml b/nova/core/roles/firewall/tasks/main.yml
@@ -5,6 +5,7 @@
     dest: /etc/sysctl.d/fw.conf
     mode: "0644"
     lstrip_blocks: true
+  notify: Rebooting...
 
 - name: Configuring sysctl...
   ansible.posix.sysctl:
@@ -26,3 +27,6 @@
 - name: Including nftables config...
   ansible.builtin.include_tasks: nftables.yml
   when: mode == "nftables"
+
+- name: Flushing handlers...
+  ansible.builtin.meta: flush_handlers
diff --git a/nova/core/roles/firewall/tasks/nftables.yml b/nova/core/roles/firewall/tasks/nftables.yml
@@ -1,11 +1,11 @@
 ---
 - name: Removing persistent iptables...
-  ansible.builtin.apt:
+  ansible.builtin.package:
     name: iptables-persistent
     state: absent
 
 - name: Installing nftables...
-  ansible.builtin.apt:
+  ansible.builtin.package:
     name: nftables
     state: present
     update_cache: true
@@ -21,26 +21,13 @@
     lstrip_blocks: true
     mode: "0644"
   register: nftables_rules
+  notify: Restarting nftables...
 
-- name: Restarting nftables & required services...
+# This is required to make sure automatic Docker IPTables rules get re-populated
+- name: Checking if Docker service exists...
+  ansible.builtin.systemd:
+    name: docker.service
+  register: docker_service_exists
+  changed_when: docker_service_exists.status.LoadState != "not-found"
+  notify: Restarting Docker...
   when: nftables_rules.changed
-  block:
-    - name: Starting & enabling nftables...
-      ansible.builtin.systemd:
-        name: nftables.service
-        state: restarted
-        enabled: true
-        daemon_reload: true
-
-    - name: Checking if Docker service exists...
-      ansible.builtin.systemd:
-        name: docker.service
-      register: docker_service_exists
-
-    # This part is required to make sure automatic Docker IPTables rules get re-populated
-    - name: Restarting Docker service...
-      ansible.builtin.systemd:
-        name: docker.service
-        state: restarted
-        enabled: true
-      when: docker_service_exists.status.LoadState != "not-found"