From 4603ff67d99bc504b37279041885624a5b65334e Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Sat, 25 Apr 2026 19:14:26 -0400 Subject: [PATCH] Divide firewalld zones for FOG server --- README.md | 2 +- dev/vars/fog.yml | 33 +++++++++++++ roles/common/tasks/main.yml | 38 +++++++++++---- roles/fog/tasks/main.yml | 92 +++++++++++++++++++++++++++++++++---- 4 files changed, 144 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 67392eb..93c6278 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ To submit, press `CTRL+d` twice. ## Copyrights and Licenses -Copyright (C) 2019, 2020, 2022, 2023, 2025 Free I.T. Athens +Copyright (C) 2019, 2020, 2022, 2023, 2025, 2026 Free I.T. Athens This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software diff --git a/dev/vars/fog.yml b/dev/vars/fog.yml index e69de29..a0d7dd0 100644 --- a/dev/vars/fog.yml +++ b/dev/vars/fog.yml @@ -0,0 +1,33 @@ +################### +### common role ### +################### + +firewalld: + # Turn 'drop' zone SSH access off after initial provision + # This example config defines an 'admin' zone for it instead + # drop_ssh: false + type: complex + zones: + admin: + source: 192.168.121.0/24 + services: + - ssh + - cockpit + - http + fog: + interface: eth1 + services: + - http + ports: + - 69/udp + - 111/tcp + - 111/udp + - 2049/tcp + - 2049/udp + +################ +### fog role ### +################ + +fog: + version: 1.5.10.1826 # defaults to stable diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 55eeae4..1e3aaa9 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -56,33 +56,51 @@ state: present update_cache: true +- name: Assert valid firewalld config + ansible.builtin.assert: + that: + - firewalld is mapping + - firewalld.type is defined + - firewalld.type in ['simple', 'complex'] + fail_msg: "firewalld.type must be 'simple' or 'complex'" + when: firewalld is defined + - name: Install firewalld ansible.builtin.dnf: name: firewalld state: present + when: firewalld is defined - name: Start and enable firewalld service ansible.builtin.systemd: name: firewalld state: started enabled: true + when: firewalld is defined -- name: Set default zone to drop (deny incoming by default) - ansible.posix.firewalld: - zone: drop - state: enabled - permanent: true - immediate: true - -- name: Allow SSH in drop zone with rate limiting via rich rule +- name: Update SSH rule in firewalld drop zone ansible.posix.firewalld: zone: drop rich_rule: 'rule service name="ssh" accept limit value="10/m"' permanent: true immediate: true - state: enabled + state: "{{ 'enabled' if (firewalld.drop_ssh | default(true)) else 'disabled' }}" + when: firewalld is defined - name: Set drop as the default zone ansible.builtin.command: cmd: firewall-cmd --set-default-zone=drop - changed_when: false + register: default_zone_result + changed_when: "'ZONE_ALREADY_SET' not in default_zone_result.stderr" + when: firewalld is defined + +- name: Install Cockpit + ansible.builtin.dnf: + name: cockpit + state: present + +- name: Enable and start Cockpit socket + ansible.builtin.systemd: + name: cockpit.socket + enabled: true + state: started diff --git a/roles/fog/tasks/main.yml b/roles/fog/tasks/main.yml index aa2a309..42590ea 100644 --- a/roles/fog/tasks/main.yml +++ b/roles/fog/tasks/main.yml @@ -25,11 +25,11 @@ state: directory mode: "0755" -- name: Clone FOG stable branch +- name: Clone FOG at specified version ansible.builtin.git: repo: https://github.com/FOGProject/fogproject.git dest: /usr/local/src/fogproject - version: stable + version: "{{ fog.version | default('stable') }}" update: true - name: Run FOG installer first time @@ -38,16 +38,88 @@ chdir: /usr/local/src/fogproject/bin creates: /opt/fog/.fogsettings -- name: Allow required FOG firewall ports +- name: Create admin zone ansible.posix.firewalld: + zone: admin + state: present + permanent: true + register: admin_zone + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Create fog zone + ansible.posix.firewalld: + zone: fog + state: present + permanent: true + register: fog_zone + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Reload firewalld if zones were created + ansible.builtin.command: firewall-cmd --reload + changed_when: true + when: + - firewalld is defined + - firewalld.type == 'complex' + - admin_zone.changed or fog_zone.changed + +- name: Bind admin source to admin zone + ansible.posix.firewalld: + zone: admin + source: "{{ firewalld.zones.admin.source }}" + permanent: true + immediate: true + state: enabled + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Bind fog interface to fog zone + ansible.posix.firewalld: + zone: fog + interface: "{{ firewalld.zones.fog.interface }}" + permanent: true + immediate: true + state: enabled + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Allow admin services + ansible.posix.firewalld: + zone: admin + service: "{{ item }}" + permanent: true + immediate: true + state: enabled + loop: "{{ firewalld.zones.admin.services | default([]) }}" + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Allow fog services + ansible.posix.firewalld: + zone: fog + service: "{{ item }}" + permanent: true + immediate: true + state: enabled + loop: "{{ firewalld.zones.fog.services | default([]) }}" + when: + - firewalld is defined + - firewalld.type == 'complex' + +- name: Allow fog ports + ansible.posix.firewalld: + zone: fog port: "{{ item }}" permanent: true immediate: true state: enabled - loop: - - 80/tcp - - 69/udp - - 111/tcp - - 111/udp - - 2049/tcp - - 2049/udp + loop: "{{ firewalld.zones.fog.ports | default([]) }}" + when: + - firewalld is defined + - firewalld.type == 'complex'