Divide firewalld zones for FOG server

README.md

@@ -64,7 +64,7 @@ To submit, press `CTRL+d` twice.
 
 ## Copyrights and Licenses
 
-Copyright (C) 2019, 2020, 2022, 2023, 2025 Free I.T. Athens
+Copyright (C) 2019, 2020, 2022, 2023, 2025, 2026 Free I.T. Athens
 
 This program is free software: you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software

dev/vars/fog.yml

@@ -0,0 +1,33 @@
+###################
+### common role ###
+###################
+
+firewalld:
+  # Turn 'drop' zone SSH access off after initial provision
+  # This example config defines an 'admin' zone for it instead
+  # drop_ssh: false
+  type: complex
+  zones:
+    admin:
+      source: 192.168.121.0/24
+      services:
+        - ssh
+        - cockpit
+        - http
+    fog:
+      interface: eth1
+      services:
+        - http
+      ports:
+        - 69/udp
+        - 111/tcp
+        - 111/udp
+        - 2049/tcp
+        - 2049/udp
+
+################
+### fog role ###
+################
+
+fog:
+  version: 1.5.10.1826 # defaults to stable

roles/common/tasks/main.yml

@@ -56,33 +56,51 @@
     state: present
     update_cache: true
 
+- name: Assert valid firewalld config
+  ansible.builtin.assert:
+    that:
+      - firewalld is mapping
+      - firewalld.type is defined
+      - firewalld.type in ['simple', 'complex']
+    fail_msg: "firewalld.type must be 'simple' or 'complex'"
+  when: firewalld is defined
+
 - name: Install firewalld
   ansible.builtin.dnf:
     name: firewalld
     state: present
+  when: firewalld is defined
 
 - name: Start and enable firewalld service
   ansible.builtin.systemd:
     name: firewalld
     state: started
     enabled: true
+  when: firewalld is defined
 
-- name: Set default zone to drop (deny incoming by default)
+- name: Update SSH rule in firewalld drop zone
-  ansible.posix.firewalld:
-    zone: drop
-    state: enabled
-    permanent: true
-    immediate: true
-
-- name: Allow SSH in drop zone with rate limiting via rich rule
   ansible.posix.firewalld:
     zone: drop
     rich_rule: 'rule service name="ssh" accept limit value="10/m"'
     permanent: true
     immediate: true
-    state: enabled
+    state: "{{ 'enabled' if (firewalld.drop_ssh | default(true)) else 'disabled' }}"
+  when: firewalld is defined
 
 - name: Set drop as the default zone
   ansible.builtin.command:
     cmd: firewall-cmd --set-default-zone=drop
-  changed_when: false
+  register: default_zone_result
+  changed_when: "'ZONE_ALREADY_SET' not in default_zone_result.stderr"
+  when: firewalld is defined
+
+- name: Install Cockpit
+  ansible.builtin.dnf:
+    name: cockpit
+    state: present
+
+- name: Enable and start Cockpit socket
+  ansible.builtin.systemd:
+    name: cockpit.socket
+    enabled: true
+    state: started

roles/fog/tasks/main.yml

@@ -25,11 +25,11 @@
     state: directory
     mode: "0755"
 
-- name: Clone FOG stable branch
+- name: Clone FOG at specified version
   ansible.builtin.git:
     repo: https://github.com/FOGProject/fogproject.git
     dest: /usr/local/src/fogproject
-    version: stable
+    version: "{{ fog.version | default('stable') }}"
     update: true
 
 - name: Run FOG installer first time
@@ -38,16 +38,88 @@
     chdir: /usr/local/src/fogproject/bin
     creates: /opt/fog/.fogsettings
 
-- name: Allow required FOG firewall ports
+- name: Create admin zone
   ansible.posix.firewalld:
+    zone: admin
+    state: present
+    permanent: true
+  register: admin_zone
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Create fog zone
+  ansible.posix.firewalld:
+    zone: fog
+    state: present
+    permanent: true
+  register: fog_zone
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Reload firewalld if zones were created
+  ansible.builtin.command: firewall-cmd --reload
+  changed_when: true
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+    - admin_zone.changed or fog_zone.changed
+
+- name: Bind admin source to admin zone
+  ansible.posix.firewalld:
+    zone: admin
+    source: "{{ firewalld.zones.admin.source }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Bind fog interface to fog zone
+  ansible.posix.firewalld:
+    zone: fog
+    interface: "{{ firewalld.zones.fog.interface }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Allow admin services
+  ansible.posix.firewalld:
+    zone: admin
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  loop: "{{ firewalld.zones.admin.services | default([]) }}"
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Allow fog services
+  ansible.posix.firewalld:
+    zone: fog
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  loop: "{{ firewalld.zones.fog.services | default([]) }}"
+  when:
+    - firewalld is defined
+    - firewalld.type == 'complex'
+
+- name: Allow fog ports
+  ansible.posix.firewalld:
+    zone: fog
     port: "{{ item }}"
     permanent: true
     immediate: true
     state: enabled
-  loop:
+  loop: "{{ firewalld.zones.fog.ports | default([]) }}"
-    - 80/tcp
+  when:
-    - 69/udp
+    - firewalld is defined
-    - 111/tcp
+    - firewalld.type == 'complex'
-    - 111/udp
-    - 2049/tcp
-    - 2049/udp