From d5512285c1236e3120ff44b7bdb96554d012ebb7 Mon Sep 17 00:00:00 2001 From: Fabio Scotto di Santolo Date: Fri, 10 Apr 2026 18:55:46 +0200 Subject: [PATCH] Generalize UFW rule inventory inputs --- ansible/inventory/host_vars/ikaros.yml | 1 + .../profile_desktop_common/tasks/main.yml | 18 ++++++++++++++++-- ansible/roles/profile_server/tasks/main.yml | 17 ++++++++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/ansible/inventory/host_vars/ikaros.yml b/ansible/inventory/host_vars/ikaros.yml index 019bafa..6cc730e 100644 --- a/ansible/inventory/host_vars/ikaros.yml +++ b/ansible/inventory/host_vars/ikaros.yml @@ -19,6 +19,7 @@ host_ufw_rules: - rule: allow port: "22" proto: tcp + src: "192.168.0.0/24" host_sshd_settings: PermitRootLogin: "no" diff --git a/ansible/roles/profile_desktop_common/tasks/main.yml b/ansible/roles/profile_desktop_common/tasks/main.yml index 9d9d961..feff55e 100644 --- a/ansible/roles/profile_desktop_common/tasks/main.yml +++ b/ansible/roles/profile_desktop_common/tasks/main.yml @@ -142,6 +142,11 @@ notify: Reload SSH service when: (host_sshd_allow_users | default([])) | length > 0 +- name: Define effective desktop UFW rules + tags: [services, packages] + ansible.builtin.set_fact: + desktop_ufw_rules_effective: "{{ host_ufw_rules | default([]) }}" + - name: Apply host UFW rules on desktop tags: [services, packages] community.general.ufw: @@ -149,7 +154,16 @@ name: "{{ item.name | default(omit) }}" port: "{{ item.port | default(omit) }}" proto: "{{ item.proto | default(omit) }}" - loop: "{{ host_ufw_rules | default([]) }}" + from_ip: "{{ item.src | default(omit) }}" + to_ip: "{{ item.dest | default(omit) }}" + from_port: "{{ item.from_port | default(omit) }}" + direction: "{{ item.direction | default(omit) }}" + interface: "{{ item.interface | default(omit) }}" + interface_in: "{{ item.interface_in | default(omit) }}" + interface_out: "{{ item.interface_out | default(omit) }}" + route: "{{ item.route | default(omit) }}" + comment: "{{ item.comment | default(omit) }}" + loop: "{{ desktop_ufw_rules_effective }}" loop_control: label: "{{ item.name | default(item.port) }}" @@ -157,7 +171,7 @@ tags: [services, packages] community.general.ufw: state: enabled - when: (host_ufw_rules | default([])) | length > 0 + when: (desktop_ufw_rules_effective | default([])) | length > 0 - name: Check whether libvirt service directory exists tags: [packages, services] diff --git a/ansible/roles/profile_server/tasks/main.yml b/ansible/roles/profile_server/tasks/main.yml index a8cecc9..8cb36e2 100644 --- a/ansible/roles/profile_server/tasks/main.yml +++ b/ansible/roles/profile_server/tasks/main.yml @@ -68,6 +68,11 @@ notify: Reload SSH service when: (server_sshd_allow_users | default([])) | length > 0 +- name: Define effective server UFW rules + tags: [services, packages] + ansible.builtin.set_fact: + server_ufw_rules_effective: "{{ server_ufw_rules | default([]) }}" + - name: Apply server UFW rules tags: [services, packages] community.general.ufw: @@ -75,7 +80,16 @@ name: "{{ item.name | default(omit) }}" port: "{{ item.port | default(omit) }}" proto: "{{ item.proto | default(omit) }}" - loop: "{{ server_ufw_rules | default([]) }}" + from_ip: "{{ item.src | default(omit) }}" + to_ip: "{{ item.dest | default(omit) }}" + from_port: "{{ item.from_port | default(omit) }}" + direction: "{{ item.direction | default(omit) }}" + interface: "{{ item.interface | default(omit) }}" + interface_in: "{{ item.interface_in | default(omit) }}" + interface_out: "{{ item.interface_out | default(omit) }}" + route: "{{ item.route | default(omit) }}" + comment: "{{ item.comment | default(omit) }}" + loop: "{{ server_ufw_rules_effective }}" loop_control: label: "{{ item.name | default(item.port) }}" @@ -83,3 +97,4 @@ tags: [services, packages] community.general.ufw: state: enabled + when: (server_ufw_rules_effective | default([])) | length > 0