From eb84bca7a8bc15095df55e637a3fca264d07c7c4 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 10 Aug 2020 03:48:24 +0200
Subject: [PATCH] [firewall] Deploy firewall

---
 plays/firewall.yml                            | 11 ++++++
 roles/firewall/tasks/main.yml                 | 36 +++++++++++++++++++
 roles/firewall/templates/cron.d/firewall.j2   |  2 ++
 .../templates/firewall/re2o-config.ini.j2     |  5 +++
 4 files changed, 54 insertions(+)
 create mode 100755 plays/firewall.yml
 create mode 100644 roles/firewall/tasks/main.yml
 create mode 100644 roles/firewall/templates/cron.d/firewall.j2
 create mode 100644 roles/firewall/templates/firewall/re2o-config.ini.j2

diff --git a/plays/firewall.yml b/plays/firewall.yml
new file mode 100755
index 00000000..c015c7cd
--- /dev/null
+++ b/plays/firewall.yml
@@ -0,0 +1,11 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy firewall
+- hosts: crans_routeurs
+  vars:
+    re2o:
+      server: re2o.adm.crans.org
+      service_user: "{{ vault_re2o_service_user }}"
+      service_password: "{{ vault_re2o_service_password }}"
+  roles:
+    - firewall
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
new file mode 100644
index 00000000..3faaef2d
--- /dev/null
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Create firewall directory
+  file:
+    path: /var/local/firewall
+    state: directory
+    mode: '2775'
+    owner: root
+    group: nounou
+
+- name: Set ACL for firewall directory
+  acl:
+    path: /var/local/firewall
+    default: true
+    entity: nounou
+    etype: group
+    permissions: rwx
+    state: query
+
+- name: Clone firewall repository
+  git:
+    repo: 'http://gitlab.adm.crans.org/nounous/firewall.git'
+    dest: /var/local/firewall
+    umask: '002'
+
+- name: Deploy re2o config
+  template:
+    src: firewall/re2o-config.ini.j2
+    dest: /var/local/firewall/re2o-config.ini
+    mode: 0600
+    owner: root
+    group: root
+
+- name: Deploy cron for firewall
+  template:
+    src: cron.d/firewall.j2
+    dest: /etc/cron.d/firewall
diff --git a/roles/firewall/templates/cron.d/firewall.j2 b/roles/firewall/templates/cron.d/firewall.j2
new file mode 100644
index 00000000..5d6a897b
--- /dev/null
+++ b/roles/firewall/templates/cron.d/firewall.j2
@@ -0,0 +1,2 @@
+{{ ansible_header | comment }}
+*/2 * * * * root /usr/bin/python3 /var/local/firewall/firewall.py -q
diff --git a/roles/firewall/templates/firewall/re2o-config.ini.j2 b/roles/firewall/templates/firewall/re2o-config.ini.j2
new file mode 100644
index 00000000..7bf9a4ca
--- /dev/null
+++ b/roles/firewall/templates/firewall/re2o-config.ini.j2
@@ -0,0 +1,5 @@
+{{ ansible_header | comment(decoration='; ') }}
+[Re2o]
+hostname = {{ re2o.server }}
+username = {{ re2o.service_userĂ‚ }}
+password = {{ re2o.service_password }}
-- 
GitLab