firewalld vars (#33)

Changes:

- Role name prefix for `mirsg.infrastructure.firewalld` variables
- Move firewalld role variables out of `install_monitoring.yml` playbook

.github/workflows/molecule-monitoring.yml

@@ -43,7 +43,6 @@ jobs:
           molecule-plugins[docker] \
           docker \
           passlib \
-          bcrypt==4.0.1 \
           requests
 
       - name: Test with molecule

playbooks/install_monitoring.yml

@@ -29,12 +29,3 @@
   roles:
     - role: mirsg.infrastructure.monitoring_client
     - role: mirsg.infrastructure.firewalld
-      vars:
-        internal_zone_sources:
-          - "{{ monitoring_client_monitoring_server_ip }}"
-        rich_rules:
-          - zone: "internal"
-            rule: "family=ipv4 source \
-              address={{ monitoring_client_monitoring_server_ip }}/32 \
-              port protocol=tcp \
-              port={{ monitoring_client_node_exporter_port }} accept"

roles/firewalld/defaults/main.yml

@@ -1,47 +1,47 @@
 ---
 # defaults file for ../ansible-role-dual-vm-firewalld
-allow_public_access: false
+firewalld_allow_public_access: false
 
 # IP ranges allowing HTTP/HTTPS
-internal_zone_open_services:
+firewalld_internal_zone_open_services:
   - ssh
-public_zone_open_services: []
-work_zone_open_services: []
+firewalld_public_zone_open_services: []
+firewalld_work_zone_open_services: []
 
-internal_zone_closed_services:
+firewalld_internal_zone_closed_services:
   - samba-client
-public_zone_closed_services:
+firewalld_public_zone_closed_services:
   - ssh
-work_zone_closed_services:
+firewalld_work_zone_closed_services:
   - ssh
 
-internal_zone_sources: []
-work_zone_sources: []
-public_zone_sources: []
+firewalld_internal_zone_sources: []
+firewalld_work_zone_sources: []
+firewalld_public_zone_sources: []
 
-internal_zone_ports: []
-public_zone_ports: []
-work_zone_ports: []
+firewalld_internal_zone_ports: []
+firewalld_public_zone_ports: []
+firewalld_work_zone_ports: []
 
-close_zone_services:
-  internal: "{{ internal_zone_closed_services }}"
-  public: "{{ public_zone_closed_services }}"
-  work: "{{ work_zone_closed_services }}"
+firewalld_close_zone_services:
+  internal: "{{ firewalld_internal_zone_closed_services }}"
+  public: "{{ firewalld_public_zone_closed_services }}"
+  work: "{{ firewalld_work_zone_closed_services }}"
 
-open_zone_services:
-  internal: "{{ internal_zone_open_services }}"
-  public: "{{ public_zone_open_services }}"
-  work: "{{ work_zone_open_services }}"
+firewalld_open_zone_services:
+  internal: "{{ firewalld_internal_zone_open_services }}"
+  public: "{{ firewalld_public_zone_open_services }}"
+  work: "{{ firewalld_work_zone_open_services }}"
 
-zone_sources:
-  internal: "{{ internal_zone_sources }}"
-  public: "{{ public_zone_sources }}"
-  work: "{{ work_zone_sources }}"
+firewalld_zone_sources:
+  internal: "{{ firewalld_internal_zone_sources }}"
+  public: "{{ firewalld_public_zone_sources }}"
+  work: "{{ firewalld_work_zone_sources }}"
 
-zone_ports:
-  internal: "{{ internal_zone_ports }}"
-  public: "{{ public_zone_ports }}"
-  work: "{{ work_zone_ports }}"
+firewalld_zone_ports:
+  internal: "{{ firewalld_internal_zone_ports }}"
+  public: "{{ firewalld_public_zone_ports }}"
+  work: "{{ firewalld_work_zone_ports }}"
 
 # rich_rules should be a list of hashes
-rich_rules: []
+firewalld_rich_rules: []

roles/firewalld/tasks/main.yml

@@ -18,7 +18,7 @@
     immediate: true
     permanent: true
     state: disabled
-  loop: "{{ close_zone_services | dict2items | subelements('value') }}"
+  loop: "{{ firewalld_close_zone_services | dict2items | subelements('value') }}"
 
 - name: Open zones to services
   become: true
@@ -28,7 +28,7 @@
     immediate: true
     permanent: true
     state: enabled
-  loop: "{{ open_zone_services | dict2items | subelements('value') }}"
+  loop: "{{ firewalld_open_zone_services | dict2items | subelements('value') }}"
 
 - name: Open zones to sources
   become: true
@@ -38,7 +38,7 @@
     permanent: true
     immediate: true
     state: enabled
-  loop: "{{ zone_sources | dict2items | subelements('value') }}"
+  loop: "{{ firewalld_zone_sources | dict2items | subelements('value') }}"
 
 - name: Open zones to ports
   become: true
@@ -48,7 +48,7 @@
     immediate: true
     permanent: true
     state: enabled
-  loop: "{{ zone_ports | dict2items | subelements('value') }}"
+  loop: "{{ firewalld_zone_ports | dict2items | subelements('value') }}"
 
 - name: Add firewall rich rules
   become: true
@@ -58,13 +58,13 @@
     permanent: true
     immediate: true
     state: enabled
-  loop: "{{ rich_rules | default([]) }}"
+  loop: "{{ firewalld_rich_rules | default([]) }}"
 
 - name: Check firewall default zone
   become: true
   ansible.builtin.shell: |
     set -o pipefail
-    firewall-cmd --get-default-zone | grep -i {% if allow_public_access %}public{% else %}drop{% endif %}
+    firewall-cmd --get-default-zone | grep -i {% if firewalld_allow_public_access %}public{% else %}drop{% endif %}
   register: firewall_default_zone
   changed_when: firewall_default_zone.rc != 0
   failed_when: false
@@ -73,6 +73,6 @@
   become: true
   ansible.builtin.command: >-
     firewall-cmd
-    --set-default-zone={% if allow_public_access %}public{% else %}drop{% endif %}
+    --set-default-zone={% if firewalld_allow_public_access %}public{% else %}drop{% endif %}
   when: firewall_default_zone.rc != 0
   changed_when: firewall_default_zone.rc != 0

roles/monitoring_client/templates/node_exporter_web.yml.j2

@@ -2,4 +2,4 @@ tls_server_config:
   cert_file: node_exporter.crt
   key_file: node_exporter.key
 basic_auth_users:
-  {{ monitoring_client_exporter_username }}: {{ monitoring_client_exporter_password | password_hash('bcrypt') }}
+  {{ monitoring_client_exporter_username }}: {{ monitoring_client_exporter_password | password_hash }}

tests/molecule/resources/monitoring/inventory/group_vars/monitoring_client.yml

@@ -9,3 +9,13 @@ monitoring_client_ssl_csr_file: /root/monitoring_certs/monitoring.csr
 monitoring_client_ssl_pk8_file: /root/monitoring_certs/monitoring.pk8
 monitoring_client_ssl_cert_file: /root/monitoring_certs/cert.pem
 monitoring_client_server_ca_cert_file: /root/monitoring_certs/ca.pem
+
+# mirsg.infrastructure.firewalld
+firewalld_internal_zone_sources:
+  - "{{ monitoring_client_monitoring_server_ip }}"
+firewalld_rich_rules:
+  - zone: "internal"
+    rule: "family=ipv4 source \
+      address={{ monitoring_client_monitoring_server_ip }}/32 \
+      port protocol=tcp \
+      port={{ monitoring_client_node_exporter_port }} accept"

tests/molecule/resources/roles/inventory/group_vars/all.yml

@@ -31,20 +31,20 @@ install_python2:
 install_python: "{{ install_python3 }}" # default to Python 3
 
 # mirsg.infrastructure.firewalld
-allow_public_access: true
-internal_zone_open_services:
+firewalld_allow_public_access: true
+firewalld_internal_zone_open_services:
   - http
   - https
   - ssh
-public_zone_open_services:
+firewalld_public_zone_open_services:
   - http
   - https
-work_zone_open_services:
+firewalld_work_zone_open_services:
   - http
   - https
-public_zone_ports:
+firewalld_public_zone_ports:
   - "8080"
-internal_zone_ports:
+firewalld_internal_zone_ports:
   - "5432"
 
 # mirsg.infrastructure.postgresql

tests/molecule/resources/roles/verify/firewalld.yml

@@ -30,43 +30,43 @@
   ansible.builtin.assert:
     that:
       - "'{{ item }}' in internal_zone_services.stdout"
-  loop: "{{ internal_zone_open_services }}"
-  when: internal_zone_open_services is defined
+  loop: "{{ firewalld_internal_zone_open_services }}"
+  when: firewalld_internal_zone_open_services is defined
 
 - name: Test that correct services are in public zone
   ansible.builtin.assert:
     that:
       - "'{{ item }}' in public_zone_services.stdout"
-  loop: "{{ public_zone_open_services }}"
-  when: public_zone_open_services is defined
+  loop: "{{ firewalld_public_zone_open_services }}"
+  when: firewalld_public_zone_open_services is defined
 
 - name: Test that correct services are in work zone
   ansible.builtin.assert:
     that:
       - "'{{ item }}' in work_zone_services.stdout"
-  loop: "{{ work_zone_open_services }}"
-  when: work_zone_open_services is defined
+  loop: "{{ firewalld_work_zone_open_services }}"
+  when: firewalld_work_zone_open_services is defined
 
 - name: Test that internal zone is closed to the correct services
   ansible.builtin.assert:
     that:
       - "'{{ item }}' not in internal_zone_services.stdout"
-  loop: "{{ internal_zone_closed_services }}"
-  when: internal_zone_closed_services is defined
+  loop: "{{ firewalld_internal_zone_closed_services }}"
+  when: firewalld_internal_zone_closed_services is defined
 
 - name: Test that public zone is closed to the correct services
   ansible.builtin.assert:
     that:
       - "'{{ item }}' not in public_zone_services.stdout"
-  loop: "{{ public_zone_closed_services }}"
+  loop: "{{ firewalld_public_zone_closed_services }}"
   when: public_zone_closed_services is defined
 
 - name: Test that work zone is closed to the correct services
   ansible.builtin.assert:
     that:
       - "'{{ item }}' not in work_zone_services.stdout"
-  loop: "{{ work_zone_closed_services }}"
-  when: work_zone_closed_services is defined
+  loop: "{{ firewalld_work_zone_closed_services }}"
+  when: firewalld_work_zone_closed_services is defined
 
 - name: Get firewall default zone
   become: true
@@ -80,9 +80,9 @@
 - name: Assert that public is the default zone
   ansible.builtin.assert:
     that: "'public' in firewall_default_zone.stdout"
-  when: allow_public_access
+  when: firewalld_allow_public_access
 
 - name: Assert that drop is the default zone
   ansible.builtin.assert:
     that: "'drop' in firewall_default_zone.stdout"
-  when: not allow_public_access
+  when: not firewalld_allow_public_access