From 67baf330eaf8abd11f14c83a726f19dae85cdc34 Mon Sep 17 00:00:00 2001
From: Marek Pawel Broz <marek.pawel.broz@banenor.no>
Date: Fri, 5 Jul 2024 12:45:25 +0200
Subject: [PATCH 1/2] #501 - add firewalld config

---
 add_balancer.yml                               |  2 +-
 add_pgnode.yml                                 |  2 +-
 balancers.yml                                  |  2 +-
 config_pgcluster.yml                           |  2 +-
 consul.yml                                     |  2 +-
 deploy_pgcluster.yml                           | 11 +++++------
 etcd_cluster.yml                               |  2 +-
 roles/fw_firewalld/tasks/main.yml              | 18 ++++++++++++++++++
 .../.gitignore                                 |  0
 .../.travis.yml                                |  0
 .../.yamllint                                  |  0
 .../LICENSE                                    |  0
 .../README.md                                  |  0
 .../defaults/main.yml                          |  0
 .../handlers/main.yml                          |  0
 .../tasks/disable-other-firewalls.yml          |  0
 .../tasks/main.yml                             |  0
 .../templates/firewall.bash.j2                 |  0
 .../templates/firewall.init.j2                 |  0
 .../templates/firewall.unit.j2                 |  0
 vars/system.yml                                |  1 +
 21 files changed, 30 insertions(+), 12 deletions(-)
 create mode 100644 roles/fw_firewalld/tasks/main.yml
 rename roles/{ansible-role-firewall => fw_iptables}/.gitignore (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/.travis.yml (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/.yamllint (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/LICENSE (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/README.md (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/defaults/main.yml (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/handlers/main.yml (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/tasks/disable-other-firewalls.yml (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/tasks/main.yml (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/templates/firewall.bash.j2 (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/templates/firewall.init.j2 (100%)
 rename roles/{ansible-role-firewall => fw_iptables}/templates/firewall.unit.j2 (100%)

diff --git a/add_balancer.yml b/add_balancer.yml
index 75dafcd7a..bcc012c54 100644
--- a/add_balancer.yml
+++ b/add_balancer.yml
@@ -103,7 +103,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
diff --git a/add_pgnode.yml b/add_pgnode.yml
index 26a06fe57..47b8c5418 100644
--- a/add_pgnode.yml
+++ b/add_pgnode.yml
@@ -112,7 +112,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
diff --git a/balancers.yml b/balancers.yml
index 9a2cfb218..1f3a76afa 100644
--- a/balancers.yml
+++ b/balancers.yml
@@ -76,7 +76,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
diff --git a/config_pgcluster.yml b/config_pgcluster.yml
index 42110ab41..38afad70d 100644
--- a/config_pgcluster.yml
+++ b/config_pgcluster.yml
@@ -121,7 +121,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' not in (nameservers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
         firewall_additional_rules: "{{ firewall_rules_dynamic_var | default([]) | unique }}"
diff --git a/consul.yml b/consul.yml
index 38e9238e5..4cfb59386 100644
--- a/consul.yml
+++ b/consul.yml
@@ -132,7 +132,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' in (consul_dnsmasq_servers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
         firewall_additional_rules: "{{ firewall_rules_dynamic_var | default([]) | unique }}"
diff --git a/deploy_pgcluster.yml b/deploy_pgcluster.yml
index 2c12035df..85f361502 100644
--- a/deploy_pgcluster.yml
+++ b/deploy_pgcluster.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Deploy PostgreSQL HA Cluster (based on "Patroni")
   hosts: all
   become: true
@@ -97,9 +96,9 @@
       when: ansible_os_family == "Debian"
 
     # Ansible requires the iproute package for network facts to be populated
-    - name: Make sure that the iproute is installed
+    - name: Make sure that the {{ firewall_type }} is installed
       ansible.builtin.package:
-        name: iproute
+        name: "{{ firewall_type }}"
         state: present
       register: package_status
       until: package_status is success
@@ -107,9 +106,9 @@
       retries: 3
       when: ansible_os_family == "RedHat"
 
-    - name: Make sure that the iproute is installed
+    - name: Make sure that the {{ firewall_type }} is installed
       ansible.builtin.apt:
-        name: iproute2
+        name: "{% if firewall_type == 'iproute' %}iproute2{% else %}{{firewall_type}}{% endif %}"
         state: present
       register: apt_status
       until: apt_status is success
@@ -168,7 +167,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' not in (nameservers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
diff --git a/etcd_cluster.yml b/etcd_cluster.yml
index 9ad971691..fd337853b 100644
--- a/etcd_cluster.yml
+++ b/etcd_cluster.yml
@@ -64,7 +64,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
diff --git a/roles/fw_firewalld/tasks/main.yml b/roles/fw_firewalld/tasks/main.yml
new file mode 100644
index 000000000..2e53a84db
--- /dev/null
+++ b/roles/fw_firewalld/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Ensure firewalld is present.
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+  register: package_status
+  until: package_status is success
+  delay: 5
+  retries: 3
+
+- name: Configure the firewall service.
+  ansible.posix.firewalld:
+    port: "{{ item }}/tcp"
+    immediate: true
+    permanent: true
+    state: enabled
+  with_items: "{{ firewall_allowed_tcp_ports }}"
+
diff --git a/roles/ansible-role-firewall/.gitignore b/roles/fw_iptables/.gitignore
similarity index 100%
rename from roles/ansible-role-firewall/.gitignore
rename to roles/fw_iptables/.gitignore
diff --git a/roles/ansible-role-firewall/.travis.yml b/roles/fw_iptables/.travis.yml
similarity index 100%
rename from roles/ansible-role-firewall/.travis.yml
rename to roles/fw_iptables/.travis.yml
diff --git a/roles/ansible-role-firewall/.yamllint b/roles/fw_iptables/.yamllint
similarity index 100%
rename from roles/ansible-role-firewall/.yamllint
rename to roles/fw_iptables/.yamllint
diff --git a/roles/ansible-role-firewall/LICENSE b/roles/fw_iptables/LICENSE
similarity index 100%
rename from roles/ansible-role-firewall/LICENSE
rename to roles/fw_iptables/LICENSE
diff --git a/roles/ansible-role-firewall/README.md b/roles/fw_iptables/README.md
similarity index 100%
rename from roles/ansible-role-firewall/README.md
rename to roles/fw_iptables/README.md
diff --git a/roles/ansible-role-firewall/defaults/main.yml b/roles/fw_iptables/defaults/main.yml
similarity index 100%
rename from roles/ansible-role-firewall/defaults/main.yml
rename to roles/fw_iptables/defaults/main.yml
diff --git a/roles/ansible-role-firewall/handlers/main.yml b/roles/fw_iptables/handlers/main.yml
similarity index 100%
rename from roles/ansible-role-firewall/handlers/main.yml
rename to roles/fw_iptables/handlers/main.yml
diff --git a/roles/ansible-role-firewall/tasks/disable-other-firewalls.yml b/roles/fw_iptables/tasks/disable-other-firewalls.yml
similarity index 100%
rename from roles/ansible-role-firewall/tasks/disable-other-firewalls.yml
rename to roles/fw_iptables/tasks/disable-other-firewalls.yml
diff --git a/roles/ansible-role-firewall/tasks/main.yml b/roles/fw_iptables/tasks/main.yml
similarity index 100%
rename from roles/ansible-role-firewall/tasks/main.yml
rename to roles/fw_iptables/tasks/main.yml
diff --git a/roles/ansible-role-firewall/templates/firewall.bash.j2 b/roles/fw_iptables/templates/firewall.bash.j2
similarity index 100%
rename from roles/ansible-role-firewall/templates/firewall.bash.j2
rename to roles/fw_iptables/templates/firewall.bash.j2
diff --git a/roles/ansible-role-firewall/templates/firewall.init.j2 b/roles/fw_iptables/templates/firewall.init.j2
similarity index 100%
rename from roles/ansible-role-firewall/templates/firewall.init.j2
rename to roles/fw_iptables/templates/firewall.init.j2
diff --git a/roles/ansible-role-firewall/templates/firewall.unit.j2 b/roles/fw_iptables/templates/firewall.unit.j2
similarity index 100%
rename from roles/ansible-role-firewall/templates/firewall.unit.j2
rename to roles/fw_iptables/templates/firewall.unit.j2
diff --git a/vars/system.yml b/vars/system.yml
index 81de3ff2a..7daf2e974 100644
--- a/vars/system.yml
+++ b/vars/system.yml
@@ -127,6 +127,7 @@ sudo_users:
 
 # Firewall
 firewall_enabled_at_boot: false  # or 'true' for configure firewall (iptables)
+firewall_type: "firewalld" # available 'iptables','firewalld'
 
 firewall_allowed_tcp_ports_for:
   master: []

From ebcfa7c1e396742b13678c56b55b7a8a73b17a0b Mon Sep 17 00:00:00 2001
From: Marek Pawel Broz <marek.pawel.broz@banenor.no>
Date: Sat, 6 Jul 2024 18:47:38 +0200
Subject: [PATCH 2/2]  -

---
 roles/fw_firewalld/handlers/main.yml |  0
 roles/fw_firewalld/tasks/main.yml    |  1 -
 roles/fw_ufw/handlers/main.yml       |  0
 roles/fw_ufw/tasks/main.yml          | 20 ++++++++++++++++++++
 4 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 roles/fw_firewalld/handlers/main.yml
 create mode 100644 roles/fw_ufw/handlers/main.yml
 create mode 100644 roles/fw_ufw/tasks/main.yml

diff --git a/roles/fw_firewalld/handlers/main.yml b/roles/fw_firewalld/handlers/main.yml
new file mode 100644
index 000000000..e69de29bb
diff --git a/roles/fw_firewalld/tasks/main.yml b/roles/fw_firewalld/tasks/main.yml
index 2e53a84db..21421c3e4 100644
--- a/roles/fw_firewalld/tasks/main.yml
+++ b/roles/fw_firewalld/tasks/main.yml
@@ -15,4 +15,3 @@
     permanent: true
     state: enabled
   with_items: "{{ firewall_allowed_tcp_ports }}"
-
diff --git a/roles/fw_ufw/handlers/main.yml b/roles/fw_ufw/handlers/main.yml
new file mode 100644
index 000000000..e69de29bb
diff --git a/roles/fw_ufw/tasks/main.yml b/roles/fw_ufw/tasks/main.yml
new file mode 100644
index 000000000..1def5b34b
--- /dev/null
+++ b/roles/fw_ufw/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Ensure firewalld is present.
+  ansible.builtin.package:
+    name: ufw
+    state: present
+  register: package_status
+  until: package_status is success
+  delay: 5
+  retries: 3
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Configure ufw rules.
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  with_items: "{{ firewall_allowed_tcp_ports }}"