ctucx.git: ansible-configs

common/firewall: use yaml and more dynamic configuration

diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
@@ -1,7 +1,7 @@
 ---
 - name: install awall
   apk:
-    name: awall ip6tables
+    name: awall lua-lyaml ip6tables
 
 - name: Load iptables kernel module
   raw: "modprobe ip_tables"

@@ -14,9 +14,9 @@
 
 - name: Copy base awall(firewall) configguration to destination host
   template:
-    src: awall-baseconfig.json.j2
-    dest: /etc/awall/private/base.json
-    validate: jq '.' %s
+    src: awall-baseconfig.yaml.j2
+    dest: /etc/awall/private/base.yaml
+#    validate: jq '.' %s
 
 - name: Copy awall(firewall) configguration for ssh to destination host
   copy:

diff --git a/roles/common/templates/awall-baseconfig.json.j2 b/roles/common/templates/awall-baseconfig.json.j2
@@ -1,28 +0,0 @@
-{
-  "description": "Base zones and policies for {{network.hostname}}",
-  "import": [ "custom-services" ],
-
-  "zone": {
-    "WAN": { "iface": "{{ network.awall.wan }}" }
-  },
-
-  "policy": [
-     { "in": "_fw", "action": "accept" },
-     { "in": "_fw", "out":  "WAN" , "action": "accept" },
-     { "in": "WAN", "action": "drop" }
-  ],
-
-  "filter": [
-    {
-      "in": "_fw",
-      "out": "WAN",
-      "service": [ "dns", "http", "https", "ssh" ]
-    },
-    {
-      "in": "WAN",
-      "out": "_fw",
-      "service": "ping",
-      "action": "accept"
-    }
-  ]
-}

diff --git a/roles/common/templates/awall-baseconfig.yaml.j2 b/roles/common/templates/awall-baseconfig.yaml.j2
@@ -0,0 +1,12 @@
+description: Base zones and policies for {{network.hostname}}
+import:
+  - custom-services
+
+zone:
+  {{ network.awall.zones | to_yaml | trim | indent(2) }}
+
+policy:
+  {{ network.awall.policys | to_yaml| trim | indent(2) }}
+
+filter:
+  {{ network.awall.filters | to_yaml | trim | indent(2) }}+
\ No newline at end of file