From 22876630b804a3cc35d22e95ed5465e3ed24c1ea Mon Sep 17 00:00:00 2001 From: Allar Viik Date: Tue, 20 Feb 2024 13:56:52 +0200 Subject: [PATCH] Added Archlinux support for `firewall` role --- nova/core/roles/firewall/handlers/main.yml | 16 +++ nova/core/roles/firewall/tasks/iptables.yml | 108 ++++++++++---------- nova/core/roles/firewall/tasks/main.yml | 4 + nova/core/roles/firewall/tasks/nftables.yml | 33 ++---- 4 files changed, 86 insertions(+), 75 deletions(-) create mode 100644 nova/core/roles/firewall/handlers/main.yml diff --git a/nova/core/roles/firewall/handlers/main.yml b/nova/core/roles/firewall/handlers/main.yml new file mode 100644 index 00000000..c3e38859 --- /dev/null +++ b/nova/core/roles/firewall/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: Restarting nftables... + ansible.builtin.systemd: + name: nftables.service + state: restarted + enabled: true + daemon_reload: true + +- name: Restarting Docker... + ansible.builtin.systemd: + name: docker.service + state: restarted + +- name: Rebooting... + ansible.builtin.reboot: + when: ansible_os_family == "Archlinux" # For some reason nftables does not work without a reboot on Archlinux diff --git a/nova/core/roles/firewall/tasks/iptables.yml b/nova/core/roles/firewall/tasks/iptables.yml index 93d59c54..d15311b2 100644 --- a/nova/core/roles/firewall/tasks/iptables.yml +++ b/nova/core/roles/firewall/tasks/iptables.yml @@ -1,77 +1,81 @@ --- - name: Removing nftables... - ansible.builtin.apt: + ansible.builtin.package: name: nftables state: absent - name: Installing iptables... - ansible.builtin.apt: - name: - - iptables - - iptables-persistent + ansible.builtin.package: + name: iptables state: present update_cache: true - register: firewall_dependencies_install - until: not firewall_dependencies_install.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed + register: iptables_install + until: not iptables_install.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed retries: 10 delay: 6 -- name: Enabling netfilter-persistent service... - ansible.builtin.service: - name: netfilter-persistent - enabled: true - - name: Creating iptables directory... ansible.builtin.file: path: /etc/iptables state: directory mode: "0755" -- name: Templating iptables IPv4 rules... - ansible.builtin.template: - src: "{{ ipv4_template_file }}" - dest: /etc/iptables/rules.v4 - lstrip_blocks: true - mode: "0644" - register: ipv4_rules_result +- name: Installing and configuring iptables for Debian based OS... + when: ansible_os_family == "Debian" + block: + - name: Installing iptables-persistent... + ansible.builtin.package: + name: + - iptables-persistent + state: present + register: iptables_persistent_isntall + until: not iptables_persistent_isntall.failed # Because sometimes the primary DNS is not up yet or egress FW is still being deployed + retries: 10 + delay: 6 -- name: Templating iptables IPv6 rules... - ansible.builtin.template: - src: "{{ ipv6_template_file }}" - dest: /etc/iptables/rules.v6 - lstrip_blocks: true - mode: "0644" - register: ipv6_rules_result + - name: Enabling netfilter-persistent service... + ansible.builtin.service: + name: netfilter-persistent + enabled: true -- name: Restoring iptables IPv4 rules, if required... - ansible.builtin.shell: iptables-restore