From cc6ea15d5e1f5e1c1b1027b13c34280d71bd22c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Diemer?= <stephane.diemer@ubicast.eu>
Date: Wed, 13 May 2020 09:20:14 +0200
Subject: [PATCH] Split ferm setup in two roles to avoid ferm install on
existing systems | refs #32028
---
roles/base/meta/main.yml | 3 +-
roles/celerity/tasks/main.yml | 2 +-
roles/cluster/tasks/main.yml | 2 +-
roles/ferm-configure/defaults/main.yml | 19 +++++++++++
.../handlers/main.yml | 5 +--
roles/{ferm => ferm-configure}/tasks/main.yml | 34 +++++--------------
.../{ferm => ferm-install}/defaults/main.yml | 16 ---------
roles/ferm-install/handlers/main.yml | 8 +++++
roles/ferm-install/tasks/main.yml | 23 +++++++++++++
.../templates/ferm.conf.j2 | 0
roles/mediaimport/tasks/main.yml | 2 +-
roles/mediaserver/tasks/main.yml | 2 +-
roles/mediavault/tasks/main.yml | 2 +-
roles/mediaworker/tasks/main.yml | 2 +-
roles/mirismanager/tasks/main.yml | 2 +-
roles/msmonitor/tasks/main.yml | 2 +-
roles/netcapture/tasks/main.yml | 2 +-
roles/ocfs2/tasks/main.yml | 2 +-
roles/postgres/tasks/main.yml | 2 +-
roles/sysutils/tasks/main.yml | 2 +-
roles/wowza/meta/main.yml | 6 ----
roles/wowza/tasks/main.yml | 2 +-
22 files changed, 74 insertions(+), 66 deletions(-)
create mode 100644 roles/ferm-configure/defaults/main.yml
rename roles/{ferm => ferm-configure}/handlers/main.yml (56%)
rename roles/{ferm => ferm-configure}/tasks/main.yml (91%)
rename roles/{ferm => ferm-install}/defaults/main.yml (65%)
create mode 100644 roles/ferm-install/handlers/main.yml
create mode 100644 roles/ferm-install/tasks/main.yml
rename roles/{ferm => ferm-install}/templates/ferm.conf.j2 (100%)
delete mode 100644 roles/wowza/meta/main.yml
diff --git a/roles/base/meta/main.yml b/roles/base/meta/main.yml
index bddea6df..e531fa82 100644
--- a/roles/base/meta/main.yml
+++ b/roles/base/meta/main.yml
@@ -10,7 +10,8 @@ dependencies:
- role: users
- role: postfix
- role: ntp
- - role: ferm
+ - role: ferm-install
+ - role: ferm-configure
- role: fail2ban
...
diff --git a/roles/celerity/tasks/main.yml b/roles/celerity/tasks/main.yml
index fdc66eb5..4adaea82 100644
--- a/roles/celerity/tasks/main.yml
+++ b/roles/celerity/tasks/main.yml
@@ -38,7 +38,7 @@
ferm_output_rules: "{{ celerity_ferm_output_rules }}"
ferm_global_settings: "{{ celerity_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml
index b0c08ed8..a7af0e3d 100644
--- a/roles/cluster/tasks/main.yml
+++ b/roles/cluster/tasks/main.yml
@@ -250,6 +250,6 @@
ferm_input_rules: "{{ cluster_fw_input }}"
ferm_output_rules: "{{ cluster_fw_output }}"
include_role:
- name: ferm
+ name: ferm-configure
...
diff --git a/roles/ferm-configure/defaults/main.yml b/roles/ferm-configure/defaults/main.yml
new file mode 100644
index 00000000..947f9f5b
--- /dev/null
+++ b/roles/ferm-configure/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+
+# filename into which rules will be written
+# /etc/ferm/{ferm|input|output|forward}.d/<filename>.conf
+ferm_rules_filename: default
+
+# input rule
+ferm_input_rules: []
+
+# ouput rule
+ferm_output_rules: []
+
+# forward rule
+ferm_forward_rules: []
+
+# global settings to be put in ferm.d directory
+ferm_global_settings:
+
+...
diff --git a/roles/ferm/handlers/main.yml b/roles/ferm-configure/handlers/main.yml
similarity index 56%
rename from roles/ferm/handlers/main.yml
rename to roles/ferm-configure/handlers/main.yml
index 396bf92f..920efd0e 100644
--- a/roles/ferm/handlers/main.yml
+++ b/roles/ferm-configure/handlers/main.yml
@@ -1,10 +1,7 @@
---
-- name: reload systemd
- systemd:
- daemon_reload: true
-
- name: restart ferm
+ when: ansible_facts.services['ferm.service'] is defined
systemd:
name: ferm
state: restarted
diff --git a/roles/ferm/tasks/main.yml b/roles/ferm-configure/tasks/main.yml
similarity index 91%
rename from roles/ferm/tasks/main.yml
rename to roles/ferm-configure/tasks/main.yml
index 9223a58b..a10cf787 100644
--- a/roles/ferm/tasks/main.yml
+++ b/roles/ferm-configure/tasks/main.yml
@@ -1,27 +1,8 @@
---
-- name: packages
- apt:
- force_apt_get: true
- install_recommends: false
- name: "{{ ferm_packages }}"
-
-- name: configuration
- notify: restart ferm
- template:
- src: ferm.conf.j2
- dest: /etc/ferm/ferm.conf
- backup: true
-
-- name: global
- when: ferm_global_settings | d(false)
- notify: restart ferm
- copy:
- dest: /etc/ferm/ferm.d/{{ ferm_rules_filename }}.conf
- content: "{{ ferm_global_settings }}"
-
- name: directories
loop:
+ - /etc/ferm/ferm.d
- /etc/ferm/input.d
- /etc/ferm/output.d
- /etc/ferm/forward.d
@@ -29,6 +10,13 @@
path: "{{ item }}"
state: directory
+- name: global
+ when: ferm_global_settings | d(false)
+ notify: restart ferm
+ copy:
+ dest: /etc/ferm/ferm.d/{{ ferm_rules_filename }}.conf
+ content: "{{ ferm_global_settings }}"
+
- name: input
when: ferm_input_rules | length > 0
notify: restart ferm
@@ -80,10 +68,4 @@
{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
{% endfor %}
-- name: service
- systemd:
- name: ferm
- enabled: true
- state: started
-
...
diff --git a/roles/ferm/defaults/main.yml b/roles/ferm-install/defaults/main.yml
similarity index 65%
rename from roles/ferm/defaults/main.yml
rename to roles/ferm-install/defaults/main.yml
index f594f1ec..fc3d06fb 100644
--- a/roles/ferm/defaults/main.yml
+++ b/roles/ferm-install/defaults/main.yml
@@ -19,23 +19,7 @@ ferm_forward_policy: DROP
ferm_forward_log: true
ferm_forward_log_prefix: "{{ ferm_forward_policy }} FORWARD "
-# filename into which rules will be written
-# /etc/ferm/{ferm|input|output|forward}.d/<filename>.conf
-ferm_rules_filename: default
-
# enable anti-lockout rule
ferm_antilockout_enabled: true
-# input rule
-ferm_input_rules: []
-
-# ouput rule
-ferm_output_rules: []
-
-# forward rule
-ferm_forward_rules: []
-
-# global settings to be put in ferm.d directory
-ferm_global_settings:
-
...
diff --git a/roles/ferm-install/handlers/main.yml b/roles/ferm-install/handlers/main.yml
new file mode 100644
index 00000000..c2f8c0cb
--- /dev/null
+++ b/roles/ferm-install/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: restart ferm
+ systemd:
+ name: ferm
+ state: restarted
+
+...
diff --git a/roles/ferm-install/tasks/main.yml b/roles/ferm-install/tasks/main.yml
new file mode 100644
index 00000000..f9d89a3b
--- /dev/null
+++ b/roles/ferm-install/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+- name: packages
+ apt:
+ force_apt_get: true
+ install_recommends: false
+ name: "{{ ferm_packages }}"
+
+- name: configuration
+ notify: restart ferm
+ template:
+ src: ferm.conf.j2
+ dest: /etc/ferm/ferm.conf
+ backup: true
+
+- name: service
+ systemd:
+ name: ferm
+ enabled: true
+ masked: no
+ state: started
+
+...
diff --git a/roles/ferm/templates/ferm.conf.j2 b/roles/ferm-install/templates/ferm.conf.j2
similarity index 100%
rename from roles/ferm/templates/ferm.conf.j2
rename to roles/ferm-install/templates/ferm.conf.j2
diff --git a/roles/mediaimport/tasks/main.yml b/roles/mediaimport/tasks/main.yml
index d4b9835d..394e20cb 100644
--- a/roles/mediaimport/tasks/main.yml
+++ b/roles/mediaimport/tasks/main.yml
@@ -171,7 +171,7 @@
ferm_output_rules: "{{ import_ferm_output_rules }}"
ferm_global_settings: "{{ import_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/mediaserver/tasks/main.yml b/roles/mediaserver/tasks/main.yml
index e3a37940..84515493 100644
--- a/roles/mediaserver/tasks/main.yml
+++ b/roles/mediaserver/tasks/main.yml
@@ -123,7 +123,7 @@
ferm_output_rules: "{{ server_ferm_output_rules }}"
ferm_global_settings: "{{ server_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/mediavault/tasks/main.yml b/roles/mediavault/tasks/main.yml
index 4b292ff6..9aff91e4 100644
--- a/roles/mediavault/tasks/main.yml
+++ b/roles/mediavault/tasks/main.yml
@@ -111,7 +111,7 @@
ferm_output_rules: "{{ mv_ferm_output_rules }}"
ferm_global_settings: "{{ mv_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/mediaworker/tasks/main.yml b/roles/mediaworker/tasks/main.yml
index 8663c1ce..29aed5a0 100644
--- a/roles/mediaworker/tasks/main.yml
+++ b/roles/mediaworker/tasks/main.yml
@@ -28,7 +28,7 @@
ferm_output_rules: "{{ worker_ferm_output_rules }}"
ferm_global_settings: "{{ worker_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/mirismanager/tasks/main.yml b/roles/mirismanager/tasks/main.yml
index 80ebfd4b..6400f143 100644
--- a/roles/mirismanager/tasks/main.yml
+++ b/roles/mirismanager/tasks/main.yml
@@ -88,7 +88,7 @@
ferm_output_rules: "{{ manager_ferm_output_rules }}"
ferm_global_settings: "{{ manager_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/msmonitor/tasks/main.yml b/roles/msmonitor/tasks/main.yml
index e8918495..68de7d55 100644
--- a/roles/msmonitor/tasks/main.yml
+++ b/roles/msmonitor/tasks/main.yml
@@ -65,7 +65,7 @@
ferm_output_rules: "{{ monitor_ferm_output_rules }}"
ferm_global_settings: "{{ monitor_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/netcapture/tasks/main.yml b/roles/netcapture/tasks/main.yml
index b514e748..3a58e94b 100644
--- a/roles/netcapture/tasks/main.yml
+++ b/roles/netcapture/tasks/main.yml
@@ -77,7 +77,7 @@
ferm_output_rules: "{{ netcapture_ferm_output_rules }}"
ferm_global_settings: "{{ netcapture_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/ocfs2/tasks/main.yml b/roles/ocfs2/tasks/main.yml
index 844a1b07..7791cab5 100644
--- a/roles/ocfs2/tasks/main.yml
+++ b/roles/ocfs2/tasks/main.yml
@@ -48,6 +48,6 @@
ferm_output_rules: "{{ ocfs2_ferm_output_rules }}"
ferm_global_settings: "{{ ocfs2_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
...
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 3369d907..babca7af 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -108,7 +108,7 @@
ferm_output_rules: "{{ pg_ferm_output_rules }}"
ferm_global_settings: "{{ pg_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
diff --git a/roles/sysutils/tasks/main.yml b/roles/sysutils/tasks/main.yml
index 80bbda98..ac51466c 100644
--- a/roles/sysutils/tasks/main.yml
+++ b/roles/sysutils/tasks/main.yml
@@ -29,6 +29,6 @@
ferm_output_rules: "{{ sysutils_ferm_output_rules }}"
ferm_global_settings: "{{ sysutils_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
...
diff --git a/roles/wowza/meta/main.yml b/roles/wowza/meta/main.yml
deleted file mode 100644
index e45d692a..00000000
--- a/roles/wowza/meta/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-dependencies:
- - role: base
-
-...
diff --git a/roles/wowza/tasks/main.yml b/roles/wowza/tasks/main.yml
index b538a833..49dca090 100644
--- a/roles/wowza/tasks/main.yml
+++ b/roles/wowza/tasks/main.yml
@@ -117,7 +117,7 @@
ferm_output_rules: "{{ wowza_ferm_output_rules }}"
ferm_global_settings: "{{ wowza_ferm_global_settings }}"
include_role:
- name: ferm
+ name: ferm-configure
- meta: flush_handlers
--
GitLab