Add firewalld/ufw support

add_balancer.yml

@@ -1,4 +1,4 @@
 ---
 - name: add_balancer.yml | Add HAProxy balancer node
   hosts: balancers
   become: true
@@ -103,7 +103,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"

add_pgnode.yml

@@ -1,4 +1,4 @@
 ---
 - name: add_pgnode.yml | PostgreSQL HA Cluster Scaling (add a replica node)
   hosts: postgres_cluster
   become: true
@@ -112,7 +112,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"

balancers.yml

@@ -1,4 +1,4 @@
 ---
 - name: balancers.yml | Configure HAProxy load balancers
   hosts: balancers
   become: true
@@ -76,7 +76,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"

config_pgcluster.yml

@@ -1,4 +1,4 @@
 ---
 - name: config_pgcluster.yml | Configuration PostgreSQL HA Cluster (based on "Patroni")
   hosts: postgres_cluster
   gather_facts: true
@@ -121,7 +121,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' not in (nameservers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
         firewall_additional_rules: "{{ firewall_rules_dynamic_var | default([]) | unique }}"

consul.yml

@@ -1,4 +1,4 @@
 ---
 - name: consul.yml | Configure Consul instances
   hosts: consul_instances
   become: true
@@ -132,7 +132,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' in (consul_dnsmasq_servers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"
         firewall_additional_rules: "{{ firewall_rules_dynamic_var | default([]) | unique }}"

deploy_pgcluster.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Deploy PostgreSQL HA Cluster (based on "Patroni")
   hosts: all
   become: true
@@ -99,7 +98,7 @@
     # Ansible requires the iproute package for network facts to be populated
     - name: Make sure that the iproute is installed
       ansible.builtin.package:
-        name: iproute
+        name: "iproute"
         state: present
       register: package_status
       until: package_status is success
@@ -109,7 +108,7 @@
 
     - name: Make sure that the iproute is installed
       ansible.builtin.apt:
-        name: iproute2
+        name: "iproute2"
         state: present
       register: apt_status
       until: apt_status is success
@@ -168,7 +167,7 @@
       when: dcs_type == "consul" and consul_dnsmasq_enable | bool and ('127.0.0.1' not in (nameservers | default([])))
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"

etcd_cluster.yml

@@ -1,4 +1,4 @@
 ---
 - name: etcd_cluster.yml | Deploy etcd Cluster
   hosts: etcd_cluster
   become: true
@@ -64,7 +64,7 @@
       tags: firewall
 
   roles:
-    - role: ansible-role-firewall
+    - role: "fw_{{ firewall_type }}"
       environment: "{{ proxy_env | default({}) }}"
       vars:
         firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | default([]) | unique }}"

roles/fw_firewalld/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+firewall_state: started
+firewall_enabled_at_boot: true
+
+firewall_allowed_tcp_ports:
+  - "22"

roles/fw_firewalld/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: reloaded

roles/fw_firewalld/tasks/disable-other-firewalls.yml

@@ -0,0 +1,14 @@
+---
+- name: Disable iptables/firewall service.
+  ansible.builtin.service:
+    name: firewall
+    state: stopped
+    enabled: false
+  when: ansible_facts.services['firewall.service'] is defined
+
+- name: Disable ufw/firewall service.
+  ansible.builtin.service:
+    name: ufw
+    state: stopped
+    enabled: false
+  when: ansible_facts.services['ufw.service'] is defined

roles/fw_firewalld/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Ensure firewalld is present.
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+  register: package_status
+  until: package_status is success
+  delay: 5
+  retries: 3
+
+- name: Configure the firewalld service.
+  ansible.builtin.service:
+    name: firewalld
+    state: "{{ firewall_state }}"
+    enabled: "{{ firewall_enabled_at_boot }}"
+
+- name: Configure the firewall service.
+  ansible.posix.firewalld:
+    port: "{{ item }}/tcp"
+    immediate: true
+    permanent: true
+    state: enabled
+  with_items: "{{ firewall_allowed_tcp_ports }}"
+  notify: reload firewalld
+
+- name: Get services status.
+  ansible.builtin.service_facts:
+
+- ansible.builtin.import_tasks: disable-other-firewalls.yml
+  when: ansible_facts.services['firewall.service'] is defined or ansible_facts.services['ufw.service'] is defined

roles/fw_ufw/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+firewall_state: started
+firewall_enabled_at_boot: true
+
+firewall_allowed_tcp_ports:
+  - "22"

roles/fw_ufw/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload ufw
+  ansible.builtin.service:
+    name: ufw
+    state: reloaded

roles/fw_ufw/tasks/disable-other-firewalls.yml

@@ -0,0 +1,14 @@
+---
+- name: Disable iptables/firewall service.
+  ansible.builtin.service:
+    name: firewall
+    state: stopped
+    enabled: false
+  when: ansible_facts.services['firewall.service'] is defined
+
+- name: Disable firewalld service.
+  ansible.builtin.service:
+    name: firewalld
+    state: stopped
+    enabled: false
+  when: ansible_facts.services['firewalld.service'] is defined

roles/fw_ufw/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+- name: Ensure ufw is present.
+  ansible.builtin.package:
+    namee: ufw
+    state: present
+  register: package_status
+  until: package_status is success
+  delay: 5
+  retries: 3
+
+- name: Enable ufw service
+  ansible.builtin.service:
+    name: ufw
+    state: started
+    enabled: true
+
+- name: Configure | default (incoming) policy
+  community.general.ufw:
+    policy: "deny"
+    state: enabled
+    direction: incoming
+  notify: reload ufw
+
+- name: Configure | default (outgoing) policy
+  community.general.ufw:
+    policy: "allow"
+    state: enabled
+    direction: outgoing
+  notify: reload ufw
+
+- name: Configure the ufw service.
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  with_items: "{{ firewall_allowed_tcp_ports }}"
+  notify: reload ufw
+
+- name: Get services status.
+  ansible.builtin.service_facts:
+
+- ansible.builtin.import_tasks: disable-other-firewalls.yml
+  when: ansible_facts.services['firewall.service'] is defined or ansible_facts.services['firewalld.service'] is defined

vars/system.yml

@@ -131,7 +131,8 @@ sudo_users:
 
 
 # Firewall
-firewall_enabled_at_boot: false  # or 'true' for configure firewall (iptables)
+firewall_enabled_at_boot: false  # or 'true' for configure firewall
+firewall_type: "iptables"  # available 'iptables','firewalld','ufw'
 
 firewall_allowed_tcp_ports_for:
   master: []