Generalize UFW rule inventory inputs

2026-05-30 15:39:58 +00:00 · 2026-04-10 18:55:46 +02:00
parent 6742516b32
commit d045299f59
3 changed files with 33 additions and 3 deletions
--- a/ansible/inventory/host_vars/ikaros.yml
+++ b/ansible/inventory/host_vars/ikaros.yml
@@ -19,6 +19,7 @@ host_ufw_rules:
  - rule: allow
    port: "22"
    proto: tcp
+    src: "192.168.0.0/24"

 host_sshd_settings:
  PermitRootLogin: "no"
--- a/ansible/roles/profile_desktop_common/tasks/main.yml
+++ b/ansible/roles/profile_desktop_common/tasks/main.yml
@@ -142,6 +142,11 @@
  notify: Reload SSH service
  when: (host_sshd_allow_users | default([])) | length > 0

+- name: Define effective desktop UFW rules
+  tags: [services, packages]
+  ansible.builtin.set_fact:
+    desktop_ufw_rules_effective: "{{ host_ufw_rules | default([]) }}"
+
 - name: Apply host UFW rules on desktop
  tags: [services, packages]
  community.general.ufw:
@@ -149,7 +154,16 @@
    name: "{{ item.name | default(omit) }}"
    port: "{{ item.port | default(omit) }}"
    proto: "{{ item.proto | default(omit) }}"
-  loop: "{{ host_ufw_rules | default([]) }}"
+    from_ip: "{{ item.src | default(omit) }}"
+    to_ip: "{{ item.dest | default(omit) }}"
+    from_port: "{{ item.from_port | default(omit) }}"
+    direction: "{{ item.direction | default(omit) }}"
+    interface: "{{ item.interface | default(omit) }}"
+    interface_in: "{{ item.interface_in | default(omit) }}"
+    interface_out: "{{ item.interface_out | default(omit) }}"
+    route: "{{ item.route | default(omit) }}"
+    comment: "{{ item.comment | default(omit) }}"
+  loop: "{{ desktop_ufw_rules_effective }}"
  loop_control:
    label: "{{ item.name | default(item.port) }}"

@@ -157,7 +171,7 @@
  tags: [services, packages]
  community.general.ufw:
    state: enabled
-  when: (host_ufw_rules | default([])) | length > 0
+  when: (desktop_ufw_rules_effective | default([])) | length > 0

 - name: Check whether libvirt service directory exists
  tags: [packages, services]
--- a/ansible/roles/profile_server/tasks/main.yml
+++ b/ansible/roles/profile_server/tasks/main.yml
@@ -68,6 +68,11 @@
  notify: Reload SSH service
  when: (server_sshd_allow_users | default([])) | length > 0

+- name: Define effective server UFW rules
+  tags: [services, packages]
+  ansible.builtin.set_fact:
+    server_ufw_rules_effective: "{{ server_ufw_rules | default([]) }}"
+
 - name: Apply server UFW rules
  tags: [services, packages]
  community.general.ufw:
@@ -75,7 +80,16 @@
    name: "{{ item.name | default(omit) }}"
    port: "{{ item.port | default(omit) }}"
    proto: "{{ item.proto | default(omit) }}"
-  loop: "{{ server_ufw_rules | default([]) }}"
+    from_ip: "{{ item.src | default(omit) }}"
+    to_ip: "{{ item.dest | default(omit) }}"
+    from_port: "{{ item.from_port | default(omit) }}"
+    direction: "{{ item.direction | default(omit) }}"
+    interface: "{{ item.interface | default(omit) }}"
+    interface_in: "{{ item.interface_in | default(omit) }}"
+    interface_out: "{{ item.interface_out | default(omit) }}"
+    route: "{{ item.route | default(omit) }}"
+    comment: "{{ item.comment | default(omit) }}"
+  loop: "{{ server_ufw_rules_effective }}"
  loop_control:
    label: "{{ item.name | default(item.port) }}"

@@ -83,3 +97,4 @@
  tags: [services, packages]
  community.general.ufw:
    state: enabled
+  when: (server_ufw_rules_effective | default([])) | length > 0