From 242a6d1cca3d3cf0a317ac82317defc87cc769b4 Mon Sep 17 00:00:00 2001
From: Peter <peter@pfoe.be>
Date: Mon, 14 Jul 2025 18:35:05 +0200
Subject: [PATCH] new firewall system

Render the template system wide, then apply.  This way, the
appdefinition.yml can contain everything that is required, and we don't
have to specify this anymore in the main config
---
 group_vars/all/applications.yml    |  5 -----
 roles/ppm/files/ppmfirewall        | 22 ++++++++++++++++++++++
 roles/ppm/tasks/firewall.yml       | 13 +++++++++++++
 roles/ppm/tasks/main.yml           | 10 ++--------
 roles/ppm/tasks/ppminstall.yml     |  2 ++
 roles/ppm/templates/ppmfirewall.j2 | 20 --------------------
 6 files changed, 39 insertions(+), 33 deletions(-)
 create mode 100644 roles/ppm/files/ppmfirewall
 create mode 100644 roles/ppm/tasks/firewall.yml
 delete mode 100644 roles/ppm/templates/ppmfirewall.j2

diff --git a/group_vars/all/applications.yml b/group_vars/all/applications.yml
index 40a27dd..3df2f28 100644
--- a/group_vars/all/applications.yml
+++ b/group_vars/all/applications.yml
@@ -15,11 +15,6 @@ ppm_apps:
   - on_server: ppm.pfoe.be
     user: nginx
     chicken_egg_appdefinition: ../nginx/
-    firewall_redirect:
-      - from: 8080
-        to: 80
-      - from: 8443
-        to: 443
     appconfig:
       appinfo:
         url: https://ppm.pfoe.be/ppm/nginx.git
diff --git a/roles/ppm/files/ppmfirewall b/roles/ppm/files/ppmfirewall
new file mode 100644
index 0000000..1f63bd8
--- /dev/null
+++ b/roles/ppm/files/ppmfirewall
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# PPM Firewall
+
+{% for app in otherapps -%}
+{%- if "firewall" in otherapps[app]["imports"] -%}
+{%- set oneapp = otherapps[app]["imports"]["firewall"] %}
+
+{% for redirect in oneapp.redirect %}
+# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
+iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+{% endfor %}
+{% for openport in oneapp.open %}
+# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
+iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/roles/ppm/tasks/firewall.yml b/roles/ppm/tasks/firewall.yml
new file mode 100644
index 0000000..2b58d7b
--- /dev/null
+++ b/roles/ppm/tasks/firewall.yml
@@ -0,0 +1,13 @@
+- name: Configure firewall options
+  ansible.builtin.copy:
+    dest: /home/.ppmfirewalltemplate
+    group: root
+    owner: root
+    mode: "0755"
+    src: ppmfirewall
+
+- name: Render firewall
+  ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall
+  register: firewall_render
+  changed_when: "'content did not change' not in firewall_render.stdout"
+  notify: Restart firewall
diff --git a/roles/ppm/tasks/main.yml b/roles/ppm/tasks/main.yml
index b6acf32..d8bf828 100644
--- a/roles/ppm/tasks/main.yml
+++ b/roles/ppm/tasks/main.yml
@@ -9,11 +9,5 @@
     label: "{{ ppm_app.user }}"
   when: ppm_app.on_server == inventory_hostname
 
-- name: Configure firewall options
-  ansible.builtin.template:
-    dest: /etc/firewall.d/ppmfirewall
-    group: root
-    owner: root
-    mode: "0755"
-    src: ppmfirewall.j2
-  notify: Restart firewall
+- name: Arrange firewall
+  ansible.builtin.import_tasks: firewall.yml
diff --git a/roles/ppm/tasks/ppminstall.yml b/roles/ppm/tasks/ppminstall.yml
index 3619992..022f3e8 100644
--- a/roles/ppm/tasks/ppminstall.yml
+++ b/roles/ppm/tasks/ppminstall.yml
@@ -19,6 +19,8 @@
       - python3-jsonschema
       # Git is required for checking out the app definitions
       - git
+      # Yeah we should use nftables, patches welcome. For now, we install iptables
+      - iptables
 
 - name: Create state directory
   ansible.builtin.file:
diff --git a/roles/ppm/templates/ppmfirewall.j2 b/roles/ppm/templates/ppmfirewall.j2
deleted file mode 100644
index 1682c11..0000000
--- a/roles/ppm/templates/ppmfirewall.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# PPM Firewal, written by ansible
-
-{% for ppm_app in ppm_apps %}
-# Firewall for {{ ppm_app.user }}
-{% for redirect in ppm_app.firewall_redirect | default([]) %}
-# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-{% endfor %}
-{% for openport in ppm_app.firewall_openport | default([]) %}
-# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }})
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
-
-{% endfor %}