Add firewall configuration to server role

2021-11-09 20:59:45 -05:00 · 2021-11-09 20:59:45 -05:00 · e298d5afa2
parent bcbdd75185
commit e298d5afa2
3 changed files with 40 additions and 0 deletions
--- a/inventory.yaml
+++ b/inventory.yaml
@ -57,6 +57,7 @@ en1:
              bond: bond0
            bond0:
              type: bond
+              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
@ -66,6 +67,7 @@ en1:
              dhcp: false
            bond0.99:
              type: vlan
+              firewall: trusted
              addresses:
                - 192.168.42.10/24
              dhcp: false
@ -84,6 +86,7 @@ en1:
              bond: bond0
            bond0:
              type: bond
+              firewall: internal
              dhcp: false
              gateway: 10.42.101.1/24
              addresses:
@ -93,6 +96,7 @@ en1:
                - 10.42.101.1
            bond0.99:
              type: vlan
+              firewall: trusted
              dhcp: false
              addresses:
                - 192.168.42.20/24
@ -104,6 +108,7 @@ en1:
          skylab_cluster:
            address: 10.42.101.12/24
            interface: bond0
+          skylab_datastore_device: sdb
          skylab_networking:
            eno1:
              bond: bond0
@ -111,6 +116,7 @@ en1:
              bond: bond0
            bond0:
              type: bond
+              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
@ -120,6 +126,7 @@ en1:
              dhcp: false
            bond0.99:
              type: vlan
+              firewall: trusted
              addresses:
                - 192.168.42.30/24
              dhcp: false
--- a/roles/server/tasks/firewalld.yaml
+++ b/roles/server/tasks/firewalld.yaml
@ -0,0 +1,29 @@
+---
+- name: Enable systemd-firewalld
+  become: true
+  ansible.builtin.systemd:
+    name: firewalld
+    state: started
+    enabled: true
+
+- name: Configure firewall interface zones
+  become: true
+  when: item.value.firewall is defined
+  ansible.posix.firewalld:
+    interface: "{{ item.key }}"
+    zone: "{{ item.value.firewall }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop: "{{ skylab_networking | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Configure firewall for docker interface
+  become: true
+  when: "'docker0' in ansible_interfaces"
+  ansible.posix.firewalld:
+    interface: docker0
+    zone: dmz
+    permanent: true
+    immediate: true
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@ -9,6 +9,10 @@
  when: skylab_networking is defined
  ansible.builtin.include_tasks: networkd.yaml

+- name: Configure firewall settings
+  when: skylab_networking is defined
+  ansible.builtin.include_tasks: firewalld.yaml
+
 - name: Configure hostsfile
  when: skylab_direct_peers is defined
  ansible.builtin.include_tasks: hosts.yaml