From 78fa311998081460ceb7f4c6b801d0e80fb9df4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Wed, 18 Dec 2024 17:03:07 +0100
Subject: [PATCH] feat: add generic firewall rule to allow traffic between
 cluster members. That way, we hope that operation is not affected even if we
 switch iptables' default policy to DENY and set stricter rules

---
 molecule/resources/playbooks/prepare.yml | 25 +++++++++++++++++++
 molecule/virtualbox_alma8/molecule.yml   | 31 +++++++++++++++++++++---
 tasks/configure_iptables.yml             | 15 ++++++++++++
 3 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
index a90fb40..01d23ca 100644
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -1,7 +1,32 @@
 ---
 - name: Prepare
   hosts: "*"
+  # Defer fact gathering, or Python interpreter detection will fail. For some
+  # reason, as of 2024-12-18, the almalinux/8 Vagrant Box comes without Python3
+  # preinstalled. Because, why would it, right? So we have to install it first
+  # and only then can we gather any facts.
+  gather_facts: false
+  become: true
   pre_tasks:
+    - name: |
+        Almalinux 8 Vagrant Boxes come without Python installed, so we have to
+        prepare this before we can gather any facts.
+      block:
+        - name: Update package manager metadata
+          ansible.builtin.raw: "dnf makecache"
+        - name: Install Python3
+          ansible.builtin.raw: "dnf -y install python3.12"
+          become: true
+    - name: Gather facts now, after Python has been installed.
+      ansible.builtin.gather_facts:
+        parallel: true
+
+    - name: Write /etc/hosts file for all nodes, so we get name resolution.
+      ansible.builtin.lineinfile:
+        path: "/etc/hosts"
+        line: "{{ hostvars[item].ansible_all_ipv4_addresses | first }} {{ item }}"
+      loop: "{{ groups['all'] }}"
+
     - name: configure additional package repositories for Debian
       when: ansible_os_family == "Debian"
       block:
diff --git a/molecule/virtualbox_alma8/molecule.yml b/molecule/virtualbox_alma8/molecule.yml
index 781b114..960221b 100644
--- a/molecule/virtualbox_alma8/molecule.yml
+++ b/molecule/virtualbox_alma8/molecule.yml
@@ -4,6 +4,11 @@ dependency:
   enabled: false
 driver:
   name: vagrant
+  provider:
+    # Can be any supported provider (virtualbox, parallels, libvirt, etc)
+    # Defaults to virtualbox
+    # name: libvirt
+    name: virtualbox
 platforms:
   # Check out the documentation at
   # https://github.com/ansible-community/molecule-vagrant#documentation
@@ -12,24 +17,38 @@ platforms:
     box: almalinux/8
     memory: 1024
     # List of raw Vagrant `config` options.
-    # provider_raw_config_args:
-    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    provider_raw_config_args:
+      - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: true
       ssh.remote_user: "lza"
       disksize.size: '20GB'
+    interfaces:
+      - network_name: private_network
+        type: static
+        ip: 192.168.56.10
+        auto_config: true
+#        options:
+#          append_platform_to_hostname: no
   - name: vm-rosora-mol
     box: almalinux/8
     memory: 1024
     # List of raw Vagrant `config` options.
-    # provider_raw_config_args:
-    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    provider_raw_config_args:
+      - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: true
       ssh.remote_user: "lza"
       disksize.size: '20GB'
+    interfaces:
+      - network_name: private_network
+        type: static
+        ip: 192.168.56.11
+        auto_config: true
+#        options:
+#          append_platform_to_hostname: no
 provisioner:
   name: ansible
   log: true
@@ -45,5 +64,9 @@ provisioner:
     converge: ../resources/playbooks/converge.yml
     prepare: ../resources/playbooks/prepare.yml
     verify: ../resources/playbooks/verify.yml
+  inventory:
+    group_vars:
+      all:
+        ansible_python_interpreter: "/usr/bin/python3.12"
 verifier:
   name: ansible
diff --git a/tasks/configure_iptables.yml b/tasks/configure_iptables.yml
index acab8b4..c7a1f85 100644
--- a/tasks/configure_iptables.yml
+++ b/tasks/configure_iptables.yml
@@ -44,6 +44,21 @@
   tags: [molecule-notest]
 # http://shouldiblockicmp.com
 
+- name: iptables-Regeln (IPv4) setzen - Chain INPUT
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "INPUT"
+    comment: "allow general access across the cluster"
+    ip_version: "ipv4"
+    jump: "ACCEPT"
+    protocol: "tcp"
+    source: "{{ item }}"
+    state: "present"
+    table: "filter"
+  loop: "{{ vault_iptables_input_cluster_general[ansible_hostname] }}"
+  notify:
+    - save iptables rules
+
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
 
 ## Configure specific rules - Chain OUTPUT
-- 
GitLab