From c738899c5e4403fd39f7295e3b9b8d51d76a0b20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 10 Nov 2022 17:30:25 +0100
Subject: [PATCH] fix: include tasks and Vault for iptables firewall
 configuration

---
 handlers/main.yml | 37 +++++++++++++++++++++++++++++++++++++
 tasks/main.yml    |  5 +++++
 2 files changed, 42 insertions(+)

diff --git a/handlers/main.yml b/handlers/main.yml
index 56b8cec..44b8a3c 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,3 +14,40 @@
     name: "{{ item }}.service"
     state: restarted
   loop: "{{ vault_service_files.keys() | list }}"
+
+- name: save iptables rules (Debian)
+  block:
+    - name: Ordner für iptables-Config erstellen
+      ansible.builtin.file:
+        path: "/etc/iptables"
+        state: directory
+        owner: "root"
+        group: "root"
+        mode: "0755"
+      listen: "save iptables rules"
+    - name: install netfilter-persistent to be able to save iptables rules
+      ansible.builtin.apt:
+        name: netfilter-persistent
+        state: present
+      listen: "save iptables rules"
+    # we exclude this task from being linted for "no-changed-when", because handlers only ever run if there's a change triggered by a task
+    - name: save iptables rules
+      ansible.builtin.command: 'netfilter-persistent save'      # noqa no-changed-when
+      listen: "save iptables rules"
+  when: ansible_os_family == "Debian"
+
+- name: save iptables rules (RedHat)
+  block:
+    - name: make sure iptables config file exists
+      ansible.builtin.file:
+        path: "/etc/sysconfig/iptables"
+        state: touch
+        owner: "root"
+        group: "root"
+        mode: "0600"
+      listen: "save iptables rules"
+    # we exclude this task from being linted for "no-changed-when", because handlers only ever run if there's a change triggered by a task
+    - name: save rules
+      ansible.builtin.command: /usr/sbin/iptables-save        # noqa no-changed-when
+      listen: "save iptables rules"
+  when: ansible_os_family == "RedHat"
diff --git a/tasks/main.yml b/tasks/main.yml
index 54e5df7..de0d353 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,6 +2,7 @@
 - name: include Ansible Vaults
   ansible.builtin.include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
   loop:
+    - "iptables.vault"
     - "nfs_mounts.vault"
     - "repos.vault"
     - "users_groups.vault"
@@ -41,3 +42,7 @@
 - name: install SystemD-Services
   ansible.builtin.import_tasks: "configure-systemd-services.yml"
   tags: [systemd]
+
+- name: configure iptables Firewall
+  ansible.builtin.import_tasks: "configure_iptables_externalusers.yml"
+  tags: [iptables, firewall]
-- 
GitLab