diff options
| author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-09-01 01:52:17 +0200 |
|---|---|---|
| committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-09-01 01:56:40 +0200 |
| commit | a3d39b262e525937bfbbd0abb6e5b9e36668d6a6 (patch) | |
| tree | 60437573320fad15800eb3086ca1639d40f887be | |
| parent | fix some ansible-lint warnings (diff) | |
| download | infra-ansible-a3d39b262e525937bfbbd0abb6e5b9e36668d6a6.tar.gz infra-ansible-a3d39b262e525937bfbbd0abb6e5b9e36668d6a6.zip | |
firewall: using the validate arg for testing the config
| -rw-r--r-- | roles/firewall/tasks/file.yml | 45 | ||||
| -rw-r--r-- | roles/firewall/tasks/main.yml | 10 |
2 files changed, 9 insertions, 46 deletions
diff --git a/roles/firewall/tasks/file.yml b/roles/firewall/tasks/file.yml deleted file mode 100644 index 5f4bb08..0000000 --- a/roles/firewall/tasks/file.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: Create temporary file - ansible.builtin.tempfile: - register: rules_file - -- name: Configure rules in temporary file - become: true - ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ rules_file.path }}' - owner: root - group: root - mode: '640' - -- name: Print temporary file path - ansible.builtin.debug: - msg: 'Temporary rules file: {{ rules_file.path }}' - -# If I simply restart the netfilter-persistent service, it happily restarts, -# effectively ignoring errors in files. That way the operator doesn't get -# feedback if the rules file is malformed. -- name: Check that rules are valid - become: true - ansible.builtin.command: - argv: - - '/usr/sbin/{{ item.tool }}-restore' - - --test - - '{{ rules_file.path }}' - changed_when: false - -- name: Copy rules to /etc/iptables - become: true - ansible.builtin.copy: - remote_src: true - src: '{{ rules_file.path }}' - dest: '{{ item.dest }}' - owner: root - group: root - mode: '640' - notify: firewall_reboot - -- name: Remove temporary file - become: true - ansible.builtin.file: - path: '{{ rules_file.path }}' - state: absent diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index c17a4e3..909eaa4 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -6,7 +6,15 @@ install_recommends: false - name: Configure rule files - ansible.builtin.include_tasks: file.yml + become: true + ansible.builtin.template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: root + mode: '640' + validate: '/usr/sbin/{{ item.tool }}-restore --test %s' + notify: firewall_reboot loop: - {src: rules.v4.j2, dest: /etc/iptables/rules.v4, tool: iptables} - {src: rules.v6.j2, dest: /etc/iptables/rules.v6, tool: ip6tables} |