Initial commit

2024-10-30 01:50:38 +01:00
commit 587ca23374
147 changed files with 7521 additions and 0 deletions
--- a/roles/firewall/tasks/defaults.yml
+++ b/roles/firewall/tasks/defaults.yml
@@ -0,0 +1,18 @@
+---
+# Configure defaults settings
+- name: Configure defaults settings
+  uci:
+    command: "set"
+    config: "firewall"
+    section: "@defaults[0]"
+    type: "defaults"
+    value:
+      input: "{{ firewall_defaults.input | default(omit) }}"
+      forward: "{{ firewall_defaults.forward | default(omit) }}"
+      output: "{{ firewall_defaults.output | default(omit) }}"
+      drop_invalid: "{{ firewall_defaults.drop_invalid | default(omit) }}"
+      synflood_protect: "{{ firewall_defaults.synflood_protect | default(omit) }}"
+      synflood_rate: "{{ firewall_defaults.synflood_rate | default(omit) }}"
+      synflood_burst: "{{ firewall_defaults.synflood_burst | default(omit) }}"
+      flow_offloading: "{{ firewall_defaults.flow_offloading | default(omit) }}"
+      flow_offloading_hw: "{{ firewall_defaults.flow_offloading_hw | default(omit) }}"
--- a/roles/firewall/tasks/forwarding.yml
+++ b/roles/firewall/tasks/forwarding.yml
@@ -0,0 +1,41 @@
+---
+# Set state status for firewall forwarding
+- name: Set state status for firewall forwarding {{ item.id | default('@forwarding[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_forwarding_state: "{{ item.state | default('present') }}"
+
+# Delete firewall forwarding
+- name: Delete firewall forwarding {{ item.id }}
+  when: "'absent' in firewall_forwarding_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "forwarding"
+
+# Create and configure firewall forwarding
+- name: Create and configure firewall forwarding
+  when: "'present' in firewall_forwarding_state"
+  block:
+    # Create firewall forwarding
+    - name: Create firewall forwarding {{ item.id | default('@forwarding[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@forwarding[-1]') }}"
+        type: "forwarding"
+
+    # Configure firewall forwarding
+    - name: Configure firewall forwarding {{ item.id | default('@forwarding[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@forwarding[-1]') }}"
+        type: "forwarding"
+        value:
+          name: "{{ item.id | default(omit) }}"
+          src: "{{ item.src | default(omit) }}"
+          dest: "{{ item.dest | default(omit) }}"
+          family: "{{ item.family | default(omit) }}"
+          ipset: "{{ item.ipset | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"
--- a/roles/firewall/tasks/ipset.yml
+++ b/roles/firewall/tasks/ipset.yml
@@ -0,0 +1,43 @@
+---
+# Set state status for firewall ipset
+- name: Set state status for firewall ipset {{ item.id | default('@ipset[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_ipset_state: "{{ item.state | default('present') }}"
+
+# Delete firewall ipset
+- name: Delete firewall ipset {{ item.id }}
+  when: "'absent' in firewall_ipset_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "ipset"
+
+# Create and configure firewall ipset
+- name: Create and configure firewall ipset
+  when: "'present' in firewall_ipset_state"
+  block:
+    # Create firewall ipset
+    - name: Create firewall ipset {{ item.id | default('@ipset[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@ipset[-1]') }}"
+        type: "ipset"
+
+    # Configure firewall ipset
+    - name: Configure firewall ipset {{ item.id | default('@ipset[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@ipset[-1]') }}"
+        type: "ipset"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          comment: "{{ item.comment | default(omit) }}"
+          match: "{{ item.match | default([]) | join(' ') }}"
+          entry: "{{ item.entry | default([]) | join(' ') }}"
+          family: "{{ item.family | default(omit) }}"
+          maxelem: "{{ item.maxelem | default(omit) }}"
+          loadfile: "{{ item.loadfile | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# Configure deaults section
+- name: Configure defaults section
+  ansible.builtin.include_tasks: defaults.yml
+
+# Configure zone section
+- name: Configure zone section
+  ansible.builtin.include_tasks: zone.yml
+  loop: "{{ firewall_zones | default([]) }}"
+
+# Configure forwarding section
+- name: Configure forwarding section
+  ansible.builtin.include_tasks: forwarding.yml
+  loop: "{{ firewall_forwardings | default([]) }}"
+
+# Configure rule section
+- name: Configure rule section
+  ansible.builtin.include_tasks: rule.yml
+  loop: "{{ firewall_rules | default([]) }}"
+
+# Configure redirect section
+- name: Configure redirect section
+  ansible.builtin.include_tasks: redirect.yml
+  loop: "{{ firewall_redirects | default([]) }}"
+
+# Configure ipset section
+- name: Configure ipset section
+  ansible.builtin.include_tasks: ipset.yml
+  loop: "{{ firewall_ipsets | default([]) }}"
+
+# Configure nat section
+- name: Configure nat section
+  ansible.builtin.include_tasks: nat.yml
+  loop: "{{ firewall_nats | default([]) }}"
+
+# Apply changes and reload firewall service
+- name: Apply changes and reload firewall
+  uci:
+    command: commit
+  notify: Reload firewall
--- a/roles/firewall/tasks/nat.yml
+++ b/roles/firewall/tasks/nat.yml
@@ -0,0 +1,48 @@
+---
+# Set state status for firewall nat
+- name: Set state status for firewall nat {{ item.id | default('@nat[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_nat_state: "{{ item.state | default('present') }}"
+
+# Delete firewall nat
+- name: Delete firewall nat {{ item.id }}
+  when: "'absent' in firewall_nat_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "nat"
+
+# Create and configure firewall nat
+- name: Create and configure firewall nat
+  when: "'present' in firewall_nat_state"
+  block:
+    # Create firewall nat
+    - name: Create firewall nat {{ item.id | default('@nat[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@nat[-1]') }}"
+        type: "nat"
+
+    # Configure firewall nat
+    - name: Configure firewall nat {{ item.id | default('@nat[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@nat[-1]') }}"
+        type: "nat"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          src: "{{ item.src | default(omit) }}"
+          src_ip: "{{ item.src_ip | default(omit) }}"
+          src_port: "{{ item.src_port | default(omit) }}"
+          dest_ip: "{{ item.dest_ip | default(omit) }}"
+          dest_port: "{{ item.dest_port | default(omit) }}"
+          snat_ip: "{{ item.snat_ip | default(omit) }}"
+          snat_port: "{{ item.snat_port | default(omit) }}"
+          target: "{{ item.target | default(omit) }}"
+          proto: "{{ item.proto | default([]) | join(' ') }}"
+          family: "{{ item.family | default(omit) }}"
+          mark: "{{ item.mark | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"
--- a/roles/firewall/tasks/redirect.yml
+++ b/roles/firewall/tasks/redirect.yml
@@ -0,0 +1,51 @@
+---
+# Set state status for firewall redirect
+- name: Set state status for firewall redirect {{ item.id | default('@redirect[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_redirect_state: "{{ item.state | default('present') }}"
+
+# Delete firewall redirect
+- name: Delete firewall redirect {{ item.id }}
+  when: "'absent' in firewall_redirect_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "redirect"
+
+# Create and configure firewall redirect
+- name: Create and configure firewall redirect
+  when: "'present' in firewall_redirect_state"
+  block:
+    # Create firewall redirect
+    - name: Create firewall redirect {{ item.id | default('@redirect[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@redirect[-1]') }}"
+        type: "redirect"
+
+    # Configure firewall redirect
+    - name: Configure firewall redirect {{ item.id | default('@redirect[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@redirect[-1]') }}"
+        type: "redirect"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          src: "{{ item.src | default(omit) }}"
+          src_ip: "{{ item.src_ip | default(omit) }}"
+          src_port: "{{ item.src_port | default(omit) }}"
+          src_mac: "{{ item.src_mac | default(omit) }}"
+          src_dip: "{{ item.src_dip | default(omit) }}"
+          src_dport: "{{ item.src_dport | default(omit) }}"
+          dest: "{{ item.dest | default(omit) }}"
+          dest_ip: "{{ item.dest_ip | default(omit) }}"
+          dest_port: "{{ item.dest_port | default(omit) }}"
+          target: "{{ item.target | default(omit) }}"
+          proto: "{{ item.proto | default([]) | join(' ') }}"
+          family: "{{ item.family | default(omit) }}"
+          ipset: "{{ item.ipset | default(omit) }}"
+          mark: "{{ item.mark | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"
--- a/roles/firewall/tasks/rule.yml
+++ b/roles/firewall/tasks/rule.yml
@@ -0,0 +1,50 @@
+---
+# Set state status for firewall rule
+- name: Set state status for firewall rule {{ item.id | default('@rule[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_rule_state: "{{ item.state | default('present') }}"
+
+# Delete firewall rule
+- name: Delete firewall rule {{ item.id }}
+  when: "'absent' in firewall_rule_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "rule"
+
+# Create and configure firewall rule
+- name: Create and configure firewall rule
+  when: "'present' in firewall_rule_state"
+  block:
+    # Create firewall rule
+    - name: Create firewall rule {{ item.id | default('@rule[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@rule[-1]') }}"
+        type: "rule"
+
+    # Configure firewall rule
+    - name: Configure firewall rule {{ item.id | default('@rule[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@rule[-1]') }}"
+        type: "rule"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          src: "{{ item.src | default(omit) }}"
+          src_ip: "{{ item.src_ip | default(omit) }}"
+          src_port: "{{ item.src_port | default([]) | join(' ') }}"
+          src_mac: "{{ item.src_mac | default(omit) }}"
+          dest: "{{ item.dest | default(omit) }}"
+          dest_ip: "{{ item.dest_ip | default(omit) }}"
+          dest_port: "{{ item.dest_port | default([]) | join(' ') }}"
+          target: "{{ item.target | default(omit) }}"
+          proto: "{{ item.proto | default([]) | join(' ') }}"
+          family: "{{ item.family | default(omit) }}"
+          ipset: "{{ item.ipset | default(omit) }}"
+          mark: "{{ item.mark | default(omit) }}"
+          set_mark: "{{ item.set_mark | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"
--- a/roles/firewall/tasks/zone.yml
+++ b/roles/firewall/tasks/zone.yml
@@ -0,0 +1,44 @@
+---
+# Set state status for firewall zone
+- name: Set state status for firewall zone {{ item.id | default('@zone[-1]') }}
+  ansible.builtin.set_fact:
+    firewall_zone_state: "{{ item.state | default('present') }}"
+
+# Delete firewall zone
+- name: Delete firewall zone {{ item.id }}
+  when: "'absent' in firewall_zone_state"
+  uci:
+    command: "absent"
+    config: "firewall"
+    section: "{{ item.id }}"
+    type: "zone"
+
+# Create and configure firewall zone
+- name: Create and configure firewall zone
+  when: "'present' in firewall_zone_state"
+  block:
+    # Create firewall zone
+    - name: Create firewall zone {{ item.id | default('@zone[-1]') }}
+      uci:
+        command: "add"
+        config: "firewall"
+        section: "{{ item.id | default('@zone[-1]') }}"
+        type: "zone"
+
+    # Configure firewall zone
+    - name: Configure firewall zone {{ item.id | default('@zone[-1]') }}
+      uci:
+        command: "set"
+        config: "firewall"
+        section: "{{ item.id | default('@zone[-1]') }}"
+        type: "zone"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          network: "{{ item.network | default([]) | join(' ') }}"
+          masq: "{{ item.masq | default(omit) }}"
+          mtu_fix: "{{ item.mtu_fix | default(omit) }}"
+          input: "{{ item.input | default(omit) }}"
+          forward: "{{ item.forward | default(omit) }}"
+          output: "{{ item.output | default(omit) }}"
+          family: "{{ item.family | default(omit) }}"
+          enabled: "{{ item.enabled | default(omit) }}"