aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/roles/firewall/tasks/file.yml
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-10 20:21:18 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-10 20:46:16 +0200
commit2886694a77ad37d64b2ef5b2d181fa046dab4055 (patch)
treec3d21c680b70a80f5eea0b94f51e8cf26b2e1ee5 /roles/firewall/tasks/file.yml
parentv0.0.8 (diff)
downloadinfra-ansible-2886694a77ad37d64b2ef5b2d181fa046dab4055.tar.gz
infra-ansible-2886694a77ad37d64b2ef5b2d181fa046dab4055.zip
firewall: don't put invalid rules in /etc/iptables/
Diffstat (limited to '')
-rw-r--r--roles/firewall/tasks/file.yml45
1 files changed, 45 insertions, 0 deletions
diff --git a/roles/firewall/tasks/file.yml b/roles/firewall/tasks/file.yml
new file mode 100644
index 0000000..a703d3b
--- /dev/null
+++ b/roles/firewall/tasks/file.yml
@@ -0,0 +1,45 @@
+- name: Create a temporary file
+ ansible.builtin.tempfile:
+ register: rules_file
+
+- name: Configure rules in a temporary file
+ become: true
+ ansible.builtin.template:
+ src: '{{ item.src }}'
+ dest: '{{ rules_file.path }}'
+ owner: root
+ group: root
+ mode: '640'
+
+- name: Print temporary file path
+ ansible.builtin.debug:
+ msg: 'Temporary rules file: {{ rules_file.path }}'
+
+# If I simply restart the netfilter-persistent service, it happily restarts,
+# effectively ignoring errors in files. That way the operator doesn't get
+# feedback if the rules file is malformed.
+- name: Check that the rules are valid
+ become: true
+ ansible.builtin.command:
+ argv:
+ - '/usr/sbin/{{ item.tool }}-restore'
+ - --test
+ - '{{ rules_file.path }}'
+ changed_when: false
+
+- name: Copy rules to /etc/iptables
+ become: true
+ ansible.builtin.copy:
+ remote_src: true
+ src: '{{ rules_file.path }}'
+ dest: '{{ item.dest }}'
+ owner: root
+ group: root
+ mode: '640'
+ notify: Reboot
+
+- name: Remove temporary file
+ become: true
+ ansible.builtin.file:
+ path: '{{ rules_file.path }}'
+ state: absent