feat(roles/pf): add argument specs

5 files changed, 68 insertions, 28 deletions

diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
index 29a53f8..90b4c7e 100644
--- a/roles/pf/defaults/main.yml
+++ b/roles/pf/defaults/main.yml
@@ -1,13 +1,8 @@
 ---
 
 pf_rules: null
-# name: ...
-#   protocol: ...
-#   port: ...
-# name: ...
-#   protocol: ...
-#   port: ...
 
 pf_configuration_file: /etc/pf.conf
+pf_test_delay: 2
 pf_test_ports:
   - "{{ ansible_port }}"
diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml
deleted file mode 100644
index 2d518eb..0000000
--- a/roles/pf/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-
-- name: lint pf configuration
-  ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}"
-
-- name: enable pf
-  ansible.builtin.command: pfctl -e
-  register: pf_result_enable
-  failed_when:
-    - pf_result_enable.result.rc != 0
-    - "'already enabled' not in pf_result_enabled.result.stderr"
-
-- name: restart pf
-  ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}"
diff --git a/roles/pf/meta/main.yml b/roles/pf/meta/main.yml
new file mode 100644
index 0000000..8a6aa88
--- /dev/null
+++ b/roles/pf/meta/main.yml
@@ -0,0 +1,42 @@
+---
+
+argument_specs:
+  main:
+    short_description: pf main entrypoint.
+    options:
+
+      pf_rules:
+        type: list
+        elements: dict
+        required: true
+        options:
+          name:
+            type: str
+            required: true
+          protocol:
+            type: str
+            required: true
+            choices:
+              - tcp
+              - udp
+            description: Network protocol
+          port:
+            type: int
+            required: true
+            description: Port to be configured
+
+      pf_configuration_file:
+        type: path
+        required: true
+        description: Pf configuration file
+
+      pf_test_delay:
+        type: int
+        required: true
+        description: Pf test delay
+
+      pf_test_ports:
+        type: list
+        element: int
+        required: true
+        description: Ports to be tested
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index 8e81e1c..4fba69e 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -7,14 +7,31 @@
     owner: 0
     group: 0
     mode: "0600"
-  notify:
-    - lint pf configuration
-    - enable pf
-    - restart pf
+  register: pf_result_generate_configuration
+
+- name: lint pf configuration  # noqa: no-handler
+  ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}"
+  register: pf_result_lint_configuration
+  changed_when:
+    - pf_result_generate_configuration.changed
+    - pf_result_lint_configuration.rc != 0
+
+- name: restart pf  # noqa: no-handler
+  ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}"
+  when: pf_result_generate_configuration.changed
 
 - name: test pf rules
   ansible.builtin.wait_for:
     port: "{{ item }}"
-    delay: 2
+    delay: "{{ pf_test_delay }}"
     state: started
   loop: "{{ pf_test_ports }}"
+
+- name: enable pf
+  ansible.builtin.command: pfctl -e
+  register: pf_result_enable
+  changed_when:
+    - "'already enabled' not in pf_result_enable.stderr"
+  failed_when:
+    - pf_result_enable.rc != 0
+    - "'already enabled' not in pf_result_enable.stderr"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index e60b4a6..193c9d2 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -11,9 +11,9 @@ block all
 pass in quick on egress proto tcp to port {{ ansible_port }}
 
 # host services
-{% for name, rules in pf_rules.items() %}
-# {{ name }}
-pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }}
+{% for rule in pf_rules %}
+# {{ rule.name }}
+pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }}
 {% endfor %}
 
 # wireguard