new firewall system

Render the template system wide, then apply. This way, the appdefinition.yml can contain everything that is required, and we don't have to specify this anymore in the main config
2025-07-14 18:35:05 +02:00 · 2025-07-14 18:35:05 +02:00 · 242a6d1cca
commit 242a6d1cca
parent cd8e0cbad7
6 changed files with 39 additions and 33 deletions
--- a/group_vars/all/applications.yml
+++ b/group_vars/all/applications.yml
@ -15,11 +15,6 @@ ppm_apps:
  - on_server: ppm.pfoe.be
    user: nginx
    chicken_egg_appdefinition: ../nginx/
-    firewall_redirect:
-      - from: 8080
-        to: 80
-      - from: 8443
-        to: 443
    appconfig:
      appinfo:
        url: https://ppm.pfoe.be/ppm/nginx.git
--- a/roles/ppm/files/ppmfirewall
+++ b/roles/ppm/files/ppmfirewall
@ -0,0 +1,22 @@
+#!/bin/bash
+
+# PPM Firewall
+
+{% for app in otherapps -%}
+{%- if "firewall" in otherapps[app]["imports"] -%}
+{%- set oneapp = otherapps[app]["imports"]["firewall"] %}
+
+{% for redirect in oneapp.redirect %}
+# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
+iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+{% endfor %}
+{% for openport in oneapp.open %}
+# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
+iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% endfor %}
--- a/roles/ppm/tasks/firewall.yml
+++ b/roles/ppm/tasks/firewall.yml
@ -0,0 +1,13 @@
+- name: Configure firewall options
+  ansible.builtin.copy:
+    dest: /home/.ppmfirewalltemplate
+    group: root
+    owner: root
+    mode: "0755"
+    src: ppmfirewall
+
+- name: Render firewall
+  ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall
+  register: firewall_render
+  changed_when: "'content did not change' not in firewall_render.stdout"
+  notify: Restart firewall
--- a/roles/ppm/tasks/main.yml
+++ b/roles/ppm/tasks/main.yml
@ -9,11 +9,5 @@
    label: "{{ ppm_app.user }}"
  when: ppm_app.on_server == inventory_hostname

- name: Configure firewall options
-  ansible.builtin.template:
-    dest: /etc/firewall.d/ppmfirewall
-    group: root
-    owner: root
-    mode: "0755"
-    src: ppmfirewall.j2
-  notify: Restart firewall
+- name: Arrange firewall
+  ansible.builtin.import_tasks: firewall.yml
--- a/roles/ppm/tasks/ppminstall.yml
+++ b/roles/ppm/tasks/ppminstall.yml
@ -19,6 +19,8 @@
      - python3-jsonschema
      # Git is required for checking out the app definitions
      - git
+      # Yeah we should use nftables, patches welcome. For now, we install iptables
+      - iptables

 - name: Create state directory
  ansible.builtin.file:
--- a/roles/ppm/templates/ppmfirewall.j2
+++ b/roles/ppm/templates/ppmfirewall.j2
@ -1,20 +0,0 @@
-#!/bin/bash
-
-# PPM Firewal, written by ansible
-
-{% for ppm_app in ppm_apps %}
-# Firewall for {{ ppm_app.user }}
-{% for redirect in ppm_app.firewall_redirect | default([]) %}
-# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-{% endfor %}
-{% for openport in ppm_app.firewall_openport | default([]) %}
-# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }})
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
-
-{% endfor %}