From e298d5afa22caf72fee259acfbab6c36e6e17086 Mon Sep 17 00:00:00 2001
From: Ethan Paul <e@enp.one>
Date: Tue, 9 Nov 2021 20:59:45 -0500
Subject: [PATCH] Add firewall configuration to server role

---
 inventory.yaml                    |  7 +++++++
 roles/server/tasks/firewalld.yaml | 29 +++++++++++++++++++++++++++++
 roles/server/tasks/main.yaml      |  4 ++++
 3 files changed, 40 insertions(+)
 create mode 100644 roles/server/tasks/firewalld.yaml

diff --git a/inventory.yaml b/inventory.yaml
index 5aefec2..da2a61a 100644
--- a/inventory.yaml
+++ b/inventory.yaml
@@ -57,6 +57,7 @@ en1:
               bond: bond0
             bond0:
               type: bond
+              firewall: internal
               gateway: 10.42.101.1/24
               dns:
                 - 10.42.101.1
@@ -66,6 +67,7 @@ en1:
               dhcp: false
             bond0.99:
               type: vlan
+              firewall: trusted
               addresses:
                 - 192.168.42.10/24
               dhcp: false
@@ -84,6 +86,7 @@ en1:
               bond: bond0
             bond0:
               type: bond
+              firewall: internal
               dhcp: false
               gateway: 10.42.101.1/24
               addresses:
@@ -93,6 +96,7 @@ en1:
                 - 10.42.101.1
             bond0.99:
               type: vlan
+              firewall: trusted
               dhcp: false
               addresses:
                 - 192.168.42.20/24
@@ -104,6 +108,7 @@ en1:
           skylab_cluster:
             address: 10.42.101.12/24
             interface: bond0
+          skylab_datastore_device: sdb
           skylab_networking:
             eno1:
               bond: bond0
@@ -111,6 +116,7 @@ en1:
               bond: bond0
             bond0:
               type: bond
+              firewall: internal
               gateway: 10.42.101.1/24
               dns:
                 - 10.42.101.1
@@ -120,6 +126,7 @@ en1:
               dhcp: false
             bond0.99:
               type: vlan
+              firewall: trusted
               addresses:
                 - 192.168.42.30/24
               dhcp: false
diff --git a/roles/server/tasks/firewalld.yaml b/roles/server/tasks/firewalld.yaml
new file mode 100644
index 0000000..132aece
--- /dev/null
+++ b/roles/server/tasks/firewalld.yaml
@@ -0,0 +1,29 @@
+---
+- name: Enable systemd-firewalld
+  become: true
+  ansible.builtin.systemd:
+    name: firewalld
+    state: started
+    enabled: true
+
+- name: Configure firewall interface zones
+  become: true
+  when: item.value.firewall is defined
+  ansible.posix.firewalld:
+    interface: "{{ item.key }}"
+    zone: "{{ item.value.firewall }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop: "{{ skylab_networking | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Configure firewall for docker interface
+  become: true
+  when: "'docker0' in ansible_interfaces"
+  ansible.posix.firewalld:
+    interface: docker0
+    zone: dmz
+    permanent: true
+    immediate: true
diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml
index 7b4be99..db00e98 100644
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -9,6 +9,10 @@
   when: skylab_networking is defined
   ansible.builtin.include_tasks: networkd.yaml
 
+- name: Configure firewall settings
+  when: skylab_networking is defined
+  ansible.builtin.include_tasks: firewalld.yaml
+
 - name: Configure hostsfile
   when: skylab_direct_peers is defined
   ansible.builtin.include_tasks: hosts.yaml