Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Actually move to nftables for any host with nftables: true (nothing atm).

Browse source 
Signed-off-by: James Antill <jantill@redhat.com>
This commit is contained in:
James Antill 2025-02-14 12:38:19 -05:00 committed by kevin
parent c9b9086535
commit 31d65aa439
3 changed files with 56 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

7
inventory/group_vars/all
View file

@ -87,8 +87,6 @@ createrepo: True
# Groups and individual hosts should override them with specific info. # Groups and individual hosts should override them with specific info.
custom6_rules: [] custom6_rules: []
custom_rules: [] custom_rules: []
nft_custom6_rules: []
nft_custom_rules: []
# most of our systems are in IAD2 # most of our systems are in IAD2
datacenter: iad2 datacenter: iad2
@ -151,6 +149,11 @@ nagios_Check_Services:
sshd: true sshd: true
swap: true swap: true
nat_rules: [] nat_rules: []
# Do we want to use nftables instead of iptables
nftables: false
# nftables variants of custom*_rules
nft_custom6_rules: []
nft_custom_rules: []
# default network block device encryption settings for linux-system-roles/nbde_client # default network block device encryption settings for linux-system-roles/nbde_client
nbde: true nbde: true
nbde_device: /dev/md2 nbde_device: /dev/md2

17
playbooks/check-host.yml
View file

@ -1,6 +1,6 @@
# tags defined: [check], services, updates, restart, fileverify, iptables, selinux # tags defined: [check], services, updates, restart, fileverify, iptables, selinux
# for the fix part, I guess its better to include the role(s) for particular host that brings the system # for the fix part, I guess its better to include the role(s) for particular host that brings the system
# to the desired state in terms of: services, updates, file verification, iptables, and selinux # to the desired state in terms of: services, updates, file verification, iptables, nftables, and selinux
--- ---
- hosts: "{{ target }}" - hosts: "{{ target }}"
user: root user: root
@ -185,6 +185,14 @@
- check - check
- iptables - iptables
- name: Check if using nftables
ansible.builtin.shell: /sbin/nft list ruleset
register: nftablesn
changed_when: false
tags:
- check
- iptables
- name: Show iptables rules - name: Show iptables rules
ansible.builtin.shell: echo "{{iptablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/iptables ansible.builtin.shell: echo "{{iptablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/iptables
changed_when: false changed_when: false
@ -192,6 +200,13 @@
- check - check
- iptables - iptables
- name: Show nftables rules
ansible.builtin.shell: echo "{{nftablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/nftables
changed_when: false
tags:
- check
- iptables
- name: Show current SELinux status - name: Show current SELinux status
ansible.builtin.shell: echo "SELinux is {{ ansible_selinux.status }} for this System" >> {{temp_dir.stdout}}/selinux ansible.builtin.shell: echo "SELinux is {{ ansible_selinux.status }} for this System" >> {{temp_dir.stdout}}/selinux
changed_when: false changed_when: false

40
roles/base/tasks/main.yml
View file

@ -141,22 +141,34 @@
tags: tags:
- packages - packages
- base - base
when: not nftables
- name: Ensure nftables is installed
ansible.builtin.package: state=present name=nftables
tags:
- packages
- base
when: nftables
- name: Ensure ipset is installed - name: Ensure ipset is installed
ansible.builtin.package: state=present name=ipset ansible.builtin.package: state=present name=ipset
tags: tags:
- packages - packages
- base - base
when: not nftables
- name: Setup builder ipset if this is a new install - name: Setup builder ipset if this is a new install
ansible.builtin.shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi" ansible.builtin.shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
args: args:
creates: /etc/sysconfig/ipset-osbuildapi creates: /etc/sysconfig/ipset-osbuildapi
when: "'osbuild' in group_names" when:
- "'osbuild' in group_names"
- not nftables
tags: tags:
- base - base
- iptables - iptables
# Note that these should do both iptables/ipset and nftables...
- name: Install blocklist update script - name: Install blocklist update script
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ private }}/files/blocklist/blocklist-update.sh" src: "{{ private }}/files/blocklist/blocklist-update.sh"
@ -195,7 +207,9 @@
- iptables/iptables.{{ host_group }} - iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }} - iptables/iptables.{{ env }}
- iptables/iptables - iptables/iptables
when: baseiptables|bool when:
- baseiptables|bool
- not nftables
notify: notify:
- Restart iptables - Restart iptables
- Reload libvirtd - Reload libvirtd
@ -210,7 +224,19 @@
- iptables - iptables
- service - service
- base - base
when: baseiptables|bool when:
- baseiptables|bool
- not nftables
- name: Nftables service enabled
service: name=nftables state=started enabled=true
tags:
- iptables
- service
- base
when:
- baseiptables|bool
- nftables
- name: Ip6tables - name: Ip6tables
ansible.builtin.template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes ansible.builtin.template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
@ -220,7 +246,9 @@
- iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }} - iptables/ip6tables.{{ env }}
- iptables/ip6tables - iptables/ip6tables
when: baseiptables|bool when:
- baseiptables|bool
- not nftables
notify: notify:
- Restart ip6tables - Restart ip6tables
- Reload libvirtd - Reload libvirtd
@ -235,7 +263,9 @@
- ip6tables - ip6tables
- service - service
- base - base
when: baseiptables|bool when:
- baseiptables|bool
- not nftables
- name: Enable journald persistence - name: Enable journald persistence
ansible.builtin.file: path=/var/log/journal state=directory ansible.builtin.file: path=/var/log/journal state=directory