From a3d39b262e525937bfbbd0abb6e5b9e36668d6a6 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Fri, 1 Sep 2023 01:52:17 +0200
Subject: firewall: using the validate arg for testing the config

---
 roles/firewall/tasks/file.yml | 45 -------------------------------------------
 roles/firewall/tasks/main.yml | 10 +++++++++-
 2 files changed, 9 insertions(+), 46 deletions(-)
 delete mode 100644 roles/firewall/tasks/file.yml

diff --git a/roles/firewall/tasks/file.yml b/roles/firewall/tasks/file.yml
deleted file mode 100644
index 5f4bb08..0000000
--- a/roles/firewall/tasks/file.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: Create temporary file
-  ansible.builtin.tempfile:
-  register: rules_file
-
-- name: Configure rules in temporary file
-  become: true
-  ansible.builtin.template:
-    src: '{{ item.src }}'
-    dest: '{{ rules_file.path }}'
-    owner: root
-    group: root
-    mode: '640'
-
-- name: Print temporary file path
-  ansible.builtin.debug:
-    msg: 'Temporary rules file: {{ rules_file.path }}'
-
-# If I simply restart the netfilter-persistent service, it happily restarts,
-# effectively ignoring errors in files. That way the operator doesn't get
-# feedback if the rules file is malformed.
-- name: Check that rules are valid
-  become: true
-  ansible.builtin.command:
-    argv:
-      - '/usr/sbin/{{ item.tool }}-restore'
-      - --test
-      - '{{ rules_file.path }}'
-  changed_when: false
-
-- name: Copy rules to /etc/iptables
-  become: true
-  ansible.builtin.copy:
-    remote_src: true
-    src: '{{ rules_file.path }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: root
-    mode: '640'
-  notify: firewall_reboot
-
-- name: Remove temporary file
-  become: true
-  ansible.builtin.file:
-    path: '{{ rules_file.path }}'
-    state: absent
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index c17a4e3..909eaa4 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -6,7 +6,15 @@
     install_recommends: false
 
 - name: Configure rule files
-  ansible.builtin.include_tasks: file.yml
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: root
+    mode: '640'
+    validate: '/usr/sbin/{{ item.tool }}-restore --test %s'
+  notify: firewall_reboot
   loop:
     - {src: rules.v4.j2, dest: /etc/iptables/rules.v4, tool: iptables}
     - {src: rules.v6.j2, dest: /etc/iptables/rules.v6, tool: ip6tables}
-- 
cgit v1.2.3