ctucx.git: ansible-configs

common: add support for ferm

diff --git a/config-files/ferm/ferm.initd b/config-files/ferm/ferm.initd
@@ -0,0 +1,34 @@
+#!/sbin/openrc-run
+
+description="For Easy Rule Making"
+description_export="Export ruleset into iptables format"
+
+extra_commands="dump"
+
+conf_file="${ferm_file:-/etc/ferm.conf}"
+dump_file="${ferm_dump:-/etc/ferm.iptables}"
+
+depend() { # taken from current edge iptables
+  after net
+  after sysctl
+  use logger
+  provide firewall
+}
+
+start() {
+  ebegin "Loading ${conf_file} ruleset"
+  ferm "${conf_file}"
+  eend $?
+}
+
+stop() {
+  ebegin "Unloading ${conf_file} rules"
+  ferm -F "${conf_file}"
+  eend $?
+}
+
+dump() {
+  ebegin "Exporting ${conf_file} into ${dump_file}"
+  ferm --remote "${conf_file}" > "${dump_file}"
+  eend $?
+}

diff --git a/roles/common/tasks/chrony.yml b/roles/common/tasks/chrony.yml
@@ -2,12 +2,13 @@
 
 - name: "Install package: chrony" 
   apk:
-   name: chrony 
-   state: present
-   update_cache: yes
+    name: chrony 
+    state: present
+    update_cache: yes
 
 - name: "Enable and restart service: chrony"
   service:
-   name: chronyd
-   enabled: yes
-   state: restarted
+    name: chronyd
+    enabled: yes
+    state: restarted
+  ignore_errors: yes+
\ No newline at end of file

diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall-awall.yml

diff --git a/roles/common/tasks/firewall-ferm.yml b/roles/common/tasks/firewall-ferm.yml
@@ -0,0 +1,23 @@
+---
+
+- name: "Install Package: ferm"
+  apk:
+    name: ferm
+
+- name: copy service file to destination
+  copy:
+    src: config-files/ferm/ferm.initd
+    dest: /etc/init.d/ferm
+    mode: 0755
+
+- name: copy ferm config to destination
+  copy:
+    src: "config-files/ferm/ferm-{{ network.hostname }}.conf"
+    dest: /etc/ferm.conf
+    mode: 0644
+
+- name: "Enable and start service: ferm"
+  service:
+   name: ferm
+   enabled: yes
+   state: started

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -11,7 +11,11 @@
 
 - include: users.yml
 
-- include: firewall.yml
+- include: firewall-awall.yml
+  when: network.useAwall is true 
+
+- include: firewall-ferm.yml
+  when: network.useFerm is true 
 
 - include: node-exporter.yml
   when: alpineVersion == "edge"

diff --git a/roles/common/tasks/network.yml b/roles/common/tasks/network.yml
@@ -61,6 +61,19 @@
     update_cache: yes
   when: network.vlanSupport is false  
 
+- name: "Install package: bridge"
+  apk:
+    name: bridge
+    update_cache: yes
+  when: network.bridgeSupport is true
+
+- name: "Remove package: bridge"
+  apk:
+    name: bridge
+    state: absent
+    update_cache: yes
+  when: network.bridgeSupport is false  
+
 - name: "Restart service: networking"
   service:
     name: networking

diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml
@@ -1,5 +1,11 @@
 ---
 
+- name: "Install package: openssh" 
+  apk:
+   name: openssh 
+   state: present
+   update_cache: yes
+
 - name: "Patch file: /etc/ssh/sshd_config"
   patch:
     src: config-files/ssh/sshd_config.patch

diff --git a/roles/common/templates/awall-baseconfig.yaml.j2 b/roles/common/templates/awall-baseconfig.yaml.j2
@@ -9,4 +9,9 @@ policy:
   {{ network.awall.policys | to_yaml| trim | indent(2) }}
 
 filter:
-  {{ network.awall.filters | to_yaml | trim | indent(2) }}-
\ No newline at end of file
+  {{ network.awall.filters | to_yaml | trim | indent(2) }}
+
+{% if network.awall.snat is defined %}
+snat:
+  - out: {{ network.awall.snat }}
+{% endif %}+
\ No newline at end of file