diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2023-01-09 22:39:47 +0100 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2023-04-02 11:45:09 +0200 |
commit | 1ff0fc1803fc71d925a0f2d0cf9c27058914044a (patch) | |
tree | aff689ecd6397f2cf6ae9a4800b5f02b514afe17 /roles/pf | |
parent | d1924d9c361470556dd1a935137a79bc0df8b099 (diff) | |
download | rules-1ff0fc1803fc71d925a0f2d0cf9c27058914044a.tar.gz |
feat(roles/pf): add argument specs
Diffstat (limited to 'roles/pf')
-rw-r--r-- | roles/pf/defaults/main.yml | 7 | ||||
-rw-r--r-- | roles/pf/handlers/main.yml | 14 | ||||
-rw-r--r-- | roles/pf/meta/main.yml | 42 | ||||
-rw-r--r-- | roles/pf/tasks/main.yml | 27 | ||||
-rw-r--r-- | roles/pf/templates/pf.conf.j2 | 6 |
5 files changed, 68 insertions, 28 deletions
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml index 29a53f8..90b4c7e 100644 --- a/roles/pf/defaults/main.yml +++ b/roles/pf/defaults/main.yml @@ -1,13 +1,8 @@ --- pf_rules: null -# name: ... -# protocol: ... -# port: ... -# name: ... -# protocol: ... -# port: ... pf_configuration_file: /etc/pf.conf +pf_test_delay: 2 pf_test_ports: - "{{ ansible_port }}" diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml deleted file mode 100644 index 2d518eb..0000000 --- a/roles/pf/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: lint pf configuration - ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}" - -- name: enable pf - ansible.builtin.command: pfctl -e - register: pf_result_enable - failed_when: - - pf_result_enable.result.rc != 0 - - "'already enabled' not in pf_result_enabled.result.stderr" - -- name: restart pf - ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}" diff --git a/roles/pf/meta/main.yml b/roles/pf/meta/main.yml new file mode 100644 index 0000000..8a6aa88 --- /dev/null +++ b/roles/pf/meta/main.yml @@ -0,0 +1,42 @@ +--- + +argument_specs: + main: + short_description: pf main entrypoint. + options: + + pf_rules: + type: list + elements: dict + required: true + options: + name: + type: str + required: true + protocol: + type: str + required: true + choices: + - tcp + - udp + description: Network protocol + port: + type: int + required: true + description: Port to be configured + + pf_configuration_file: + type: path + required: true + description: Pf configuration file + + pf_test_delay: + type: int + required: true + description: Pf test delay + + pf_test_ports: + type: list + element: int + required: true + description: Ports to be tested diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 8e81e1c..4fba69e 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -7,14 +7,31 @@ owner: 0 group: 0 mode: "0600" - notify: - - lint pf configuration - - enable pf - - restart pf + register: pf_result_generate_configuration + +- name: lint pf configuration # noqa: no-handler + ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}" + register: pf_result_lint_configuration + changed_when: + - pf_result_generate_configuration.changed + - pf_result_lint_configuration.rc != 0 + +- name: restart pf # noqa: no-handler + ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}" + when: pf_result_generate_configuration.changed - name: test pf rules ansible.builtin.wait_for: port: "{{ item }}" - delay: 2 + delay: "{{ pf_test_delay }}" state: started loop: "{{ pf_test_ports }}" + +- name: enable pf + ansible.builtin.command: pfctl -e + register: pf_result_enable + changed_when: + - "'already enabled' not in pf_result_enable.stderr" + failed_when: + - pf_result_enable.rc != 0 + - "'already enabled' not in pf_result_enable.stderr" diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index e60b4a6..193c9d2 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -11,9 +11,9 @@ block all pass in quick on egress proto tcp to port {{ ansible_port }} # host services -{% for name, rules in pf_rules.items() %} -# {{ name }} -pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }} +{% for rule in pf_rules %} +# {{ rule.name }} +pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }} {% endfor %} # wireguard |