commit 0d6ea47accb7793d0bef9d5b0571d54b6ccb2c8b
parent 5c94298442359fd2928e72581a52d4c46f409f33
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 10:53:13 +0100
parent 5c94298442359fd2928e72581a52d4c46f409f33
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 10:53:13 +0100
common: remove ferm and some other stuff
6 files changed, 50 insertions(+), 119 deletions(-)
D
|
81
-------------------------------------------------------------------------------
diff --git a/roles/common/files/ferm.initd b/roles/common/files/ferm.initd @@ -1,34 +0,0 @@ -#!/sbin/openrc-run - -description="For Easy Rule Making" -description_export="Export ruleset into iptables format" - -extra_commands="dump" - -conf_file="${ferm_file:-/etc/ferm.conf}" -dump_file="${ferm_dump:-/etc/ferm.iptables}" - -depend() { # taken from current edge iptables - after net - after sysctl - use logger - provide firewall -} - -start() { - ebegin "Loading ${conf_file} ruleset" - ferm "${conf_file}" - eend $? -} - -stop() { - ebegin "Unloading ${conf_file} rules" - ferm -F "${conf_file}" - eend $? -} - -dump() { - ebegin "Exporting ${conf_file} into ${dump_file}" - ferm --remote "${conf_file}" > "${dump_file}" - eend $? -}
diff --git a/roles/common/files/sshd/nftables-rule.nft b/roles/common/files/sshd/nftables-rule.nft @@ -3,6 +3,6 @@ table inet firewall { chain inbound { # Allow ssh. - tcp dport ssh accept + tcp dport ssh accept comment "sshd" } } \ No newline at end of file
diff --git a/roles/common/tasks/firewall-ferm.yml b/roles/common/tasks/firewall-ferm.yml @@ -1,81 +0,0 @@ ---- - -- name: "[Alpine] Install Package: ferm" - apk: - name: ferm - state: present - update_cache: yes - when: - - ansible_distribution == "Alpine" - - network.ferm.enable is true - -- name: "[Archlinux] Install Package: ferm" - pacman: - name: ferm - state: present - update_cache: yes - when: - - ansible_distribution == "Archlinux" - - network.ferm.enable is true - -- name: "[Alpine] Copy service file to destination" - copy: - src: ferm.initd - dest: /etc/init.d/ferm - mode: 0755 - when: - - ansible_distribution == "Alpine" - - network.ferm.enable is true - -- name: Fail when useFerm and no configFile - fail: - msg: Option 'network.ferm.configFile' not set! - when: - - network.ferm.enable is true - - network.ferm.configFile is not defined - -- name: copy ferm config to destination - copy: - src: "{{ network.ferm.configFile }}" - dest: /etc/ferm.conf - mode: 0644 - register: fermConfig - when: network.ferm.enable is true - - -- name: "[OpenRC] Enable and start service: ferm" - service: - name: ferm - enabled: yes - state: started - when: - - ansible_service_mgr == "openrc" - - network.ferm.enable is true - -- name: "[systemd] Enable and start service: ferm" - systemd: - name: ferm - enabled: yes - state: started - when: - - ansible_service_mgr == "systemd" - - network.ferm.enable is true - - -- name: "[OpenRC] Restart service: ferm (to deploy new config)" - service: - name: ferm - state: restarted - when: - - ansible_service_mgr == "openrc" - - network.ferm.enable is true - - fermConfig.changed - -- name: "[systemd] Restart service: ferm (to deploy new config)" - systemd: - name: ferm - state: restarted - when: - - ansible_service_mgr == "systemd" - - network.ferm.enable is true - - fermConfig.changed
diff --git a/roles/common/tasks/fstab.yml b/roles/common/tasks/fstab.yml @@ -10,3 +10,21 @@ when: - ansible_distribution == "Alpine" - system.fstab is defined + +- name: "[OpenRC] Enable and start service: nfsmount" + service: + name: nfsmount + enabled: yes + state: started + when: + - ansible_service_mgr == "openrc" + - system.enableNFS is true + +- name: "[OpenRC] Disable and stop service: nfsmount" + service: + name: nfsmount + enabled: no + state: stopped + when: + - ansible_service_mgr == "openrc" + - system.enableNFS is false
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml @@ -25,9 +25,6 @@ - include: network_ip-forwarding.yml when: network.ipForwarding is defined -- include: firewall-ferm.yml - when: network.ferm.enable is defined - - include: firewall-nftables.yml when: network.nftables.enable is defined
diff --git a/roles/common/templates/interfaces.conf.j2 b/roles/common/templates/interfaces.conf.j2 @@ -35,6 +35,21 @@ iface {{ interface.name }} inet static {% if interface.ipv4.gateway is defined %} gateway {{ interface.ipv4.gateway }} {% endif %} +{% if interface.pre_up is defined %} +{% for command in inteface.pre_up %} + pre-up {{ command }} +{% endfor %} +{% endif %} +{% if interface.post_up is defined %} +{% for command in inteface.post_up %} + post-up {{ command }} +{% endfor %} +{% endif %} +{% if interface.post_down is defined %} +{% for command in inteface.post_down %} + post-down {{ command }} +{% endfor %} +{% endif %} {% if interface.ipv6 is defined %} {% if interface.ipv6.stateless is defined %} @@ -54,6 +69,22 @@ iface {{ interface.name }} inet6 static {% if interface.ipv6.gateway is defined %} gateway {{ interface.ipv6.gateway }} {% endif %} +{% if interface.pre_up is defined %} +{% for command in inteface.pre_up %} + pre-up {{ command }} +{% endfor %} +{% endif %} +{% if interface.post_up is defined %} +{% for command in inteface.post_up %} + post-up {{ command }} +{% endfor %} +{% endif %} +{% if interface.post_down is defined %} +{% for command in inteface.post_down %} + post-down {{ command }} +{% endfor %} +{% endif %} + {% endif %} {% endif %} {% endif %}