feat: add generic firewall rule to allow traffic between cluster members. That...

feat: add generic firewall rule to allow traffic between cluster members. That way, we hope that operation is not affected even if we switch iptables' default policy to DENY and set stricter rules

molecule/resources/playbooks/prepare.yml

 ---
 - name: Prepare
   hosts: "*"
+  # Defer fact gathering, or Python interpreter detection will fail. For some
+  # reason, as of 2024-12-18, the almalinux/8 Vagrant Box comes without Python3
+  # preinstalled. Because, why would it, right? So we have to install it first
+  # and only then can we gather any facts.
+  gather_facts: false
+  become: true
   pre_tasks:
+    - name: |
+        Almalinux 8 Vagrant Boxes come without Python installed, so we have to
+        prepare this before we can gather any facts.
+      block:
+        - name: Update package manager metadata
+          ansible.builtin.raw: "dnf makecache"
+        - name: Install Python3
+          ansible.builtin.raw: "dnf -y install python3.12"
+          become: true
+    - name: Gather facts now, after Python has been installed.
+      ansible.builtin.gather_facts:
+        parallel: true
+
+    - name: Write /etc/hosts file for all nodes, so we get name resolution.
+      ansible.builtin.lineinfile:
+        path: "/etc/hosts"
+        line: "{{ hostvars[item].ansible_all_ipv4_addresses | first }} {{ item }}"
+      loop: "{{ groups['all'] }}"
+
     - name: configure additional package repositories for Debian
       when: ansible_os_family == "Debian"
       block:

molecule/virtualbox_alma8/molecule.yml

@@ -4,6 +4,11 @@ dependency:
   enabled: false
 driver:
   name: vagrant
+  provider:
+    # Can be any supported provider (virtualbox, parallels, libvirt, etc)
+    # Defaults to virtualbox
+    # name: libvirt
+    name: virtualbox
 platforms:
   # Check out the documentation at
   # https://github.com/ansible-community/molecule-vagrant#documentation
@@ -12,24 +17,38 @@ platforms:
     box: almalinux/8
     memory: 1024
     # List of raw Vagrant `config` options.
-    # provider_raw_config_args:
-    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    provider_raw_config_args:
+      - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: true
       ssh.remote_user: "lza"
       disksize.size: '20GB'
+    interfaces:
+      - network_name: private_network
+        type: static
+        ip: 192.168.56.10
+        auto_config: true
+#        options:
+#          append_platform_to_hostname: no
   - name: vm-rosora-mol
     box: almalinux/8
     memory: 1024
     # List of raw Vagrant `config` options.
-    # provider_raw_config_args:
-    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    provider_raw_config_args:
+      - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: true
       ssh.remote_user: "lza"
       disksize.size: '20GB'
+    interfaces:
+      - network_name: private_network
+        type: static
+        ip: 192.168.56.11
+        auto_config: true
+#        options:
+#          append_platform_to_hostname: no
 provisioner:
   name: ansible
   log: true
@@ -45,5 +64,9 @@ provisioner:
     converge: ../resources/playbooks/converge.yml
     prepare: ../resources/playbooks/prepare.yml
     verify: ../resources/playbooks/verify.yml
+  inventory:
+    group_vars:
+      all:
+        ansible_python_interpreter: "/usr/bin/python3.12"
 verifier:
   name: ansible

tasks/configure_iptables.yml

@@ -44,6 +44,21 @@
   tags: [molecule-notest]
 # http://shouldiblockicmp.com
 
+- name: iptables-Regeln (IPv4) setzen - Chain INPUT
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "INPUT"
+    comment: "allow general access across the cluster"
+    ip_version: "ipv4"
+    jump: "ACCEPT"
+    protocol: "tcp"
+    source: "{{ item }}"
+    state: "present"
+    table: "filter"
+  loop: "{{ vault_iptables_input_cluster_general[ansible_hostname] }}"
+  notify:
+    - save iptables rules
+
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
 
 ## Configure specific rules - Chain OUTPUT