Split iptables tasks into a seperate file

9ecf3daf · Chris Croome · 8b00f6e9 · 9ecf3daf · 9ecf3daf
Commit 9ecf3daf authored 2 years ago by Chris Croome
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@@ -61,122 +61,8 @@

      when: icinga_iptables_check_fail | bool

-    - name: Check the firefwall on the agent node when port 5665 is not open
-      block:
-
-        - name: Check the existing rules
-          ansible.builtin.command: iptables -L
-          check_mode: false
-          changed_when: false
-          register: icinga_iptables_list
-
-        - name: Set a fact for the existing iptables rules
-          ansible.builtin.set_fact:
-            icinga_iptables: "{{ icinga_iptables_list.stdout | community.general.jc('iptables') }}"
-
-        - name: Debug existing iptables rules
-          ansible.builtin.debug:
-            var: icinga_iptables_list.stdout
-            verbosity: 2
-
-        - name: Debug matching iptables rule
-          ansible.builtin.debug:
-            msg: "{{ icinga_iptables | community.general.json_query(icinga_iptables_ipv4_query) }}"
-            verbosity: 2
-
-        - name: Add IPv4 rule to allow connections from the master node to the agent node on port 5665
-          block:
-
-            - name: Set a fact for the IPv4 address of the master node
-              ansible.builtin.set_fact:
-                icinga_master_node_ipv4: "{{ lookup('community.general.dig', icinga_master_node) }}"
-
-            - name: Debug the IPv4 address of the master node
-              ansible.builtin.debug:
-                msg:
-                  - "{{ icinga_master_node_ipv4 }}"
-                  - "Type {{ icinga_master_node_ipv4 | type_debug }}"
-                verbosity: 2
-
-            - name: Check that the discovered IPv4 address of the master node is a IPv4 address
-              ansible.builtin.assert:
-                that:
-                  - icinga_master_node_ipv4 | ansible.utils.ipv4
-                  - icinga_master_node_ipv4 | type_debug is regex('str|AnsibleUnicode|AnsibleUnsafeText$')
-                  - icinga_master_node_ipv4 is regex('^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$')
-                quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
-
-            - name: Save current IPv4 iptables rules
-              community.general.iptables_state:
-                ip_version: ipv4
-                path: /etc/iptables/rules.v4
-                state: saved
-
-            - name: Check that the he line after the proposed IPv4 iptables rule for Icinga is present
-              block:
-
-                - name: Check that the line after the IPv4 iptables rule for Icinga is present
-                  ansible.builtin.lineinfile:
-                    path: /etc/iptables/rules.v4
-                    line: "{{ icinga_iptables_ipv4_insertbefore }}"
-                    state: present
-                  check_mode: true
-                  register: icinga_iptables_ipv4_insertbefore_check
-                  failed_when: icinga_iptables_ipv4_insertbefore_check.changed | bool
-
-              rescue:
-
-                - name: Slurp /etc/iptables/rules.v4
-                  ansible.builtin.slurp:
-                    src: /etc/iptables/rules.v4
-                  register: icinga_iptables_ipv4_b64encoded
-
-                - name: Set a fact for the content of /etc/iptables/rules.v4
-                  ansible.builtin.set_fact:
-                    # icinga_iptables_ipv4: "{{ icinga_iptables_ipv4_b64encoded['content'] | b64decode }}"
-                    icinga_iptables_ipv4_lines: "{{ (icinga_iptables_ipv4_b64encoded['content'] | b64decode ).split('\n') }}"
-
-                - name: Debug /etc/iptables/rules.v4
-                  ansible.builtin.debug:
-                    var: icinga_iptables_ipv4_lines
-
-                - name: Fail as the line after the proposed IPv4 iptables rule for Icinga is not present
-                  ansible.builtin.fail:
-                    msg:
-                      - "Please set the `icinga_iptables_ipv4_insertbefore` variable to one of the lines above and then re-run this role."
-                      - "The line to be added is:"
-                      - "{{ icinga_iptables_ipv4_rule }}"
-
-            - name: Add IPv4 iptables rule for Icinga
-              ansible.builtin.lineinfile:
-                path: /etc/iptables/rules.v4
-                line: "{{ icinga_iptables_ipv4_rule }}"
-                insertbefore: "{{ icinga_iptables_ipv4_insertbefore }}"
-                mode: 0644
-
-            - name: Test the modified IPv4 iptables rules for Icinga
-              ansible.builtin.command: iptables-restore --test /etc/iptables/rules.v4
-              check_mode: false
-              changed_when: false
-
-            - name: Check restore modified IPv4 iptables rules when running in check mode
-              community.general.iptables_state:
-                ip_version: ipv4
-                path: /etc/iptables/rules.v4
-                state: restored
-              when: ansible_check_mode | bool
-
-            - name: Restore modified IPv4 iptables rules when not running in check mode
-              community.general.iptables_state:
-                ip_version: ipv4
-                path: /etc/iptables/rules.v4
-                state: restored
-              when: not ansible_check_mode | bool
-              async: "{{ ansible_timeout }}"
-              poll: 0
-
-          when: icinga_iptables | community.general.json_query(icinga_iptables_ipv4_query) != icinga_iptables_ipv4_check_rule
-
+    - name: Include the iptables tasks when port 5665 is not open on the agent mode
+      ansible.builtin.include_tasks: iptables.yml
      when: icinga_port_state != "open"

  tags:

--- a/tasks/iptables.yml
+++ b/tasks/iptables.yml
+---
+- name: Check and modify iptables tasks when port 5665 is not open on the agent mode
+  block:
+
+    - name: Check the existing rules
+      ansible.builtin.command: iptables -L
+      check_mode: false
+      changed_when: false
+      register: icinga_iptables_list
+
+    - name: Set a fact for the existing iptables rules
+      ansible.builtin.set_fact:
+        icinga_iptables: "{{ icinga_iptables_list.stdout | community.general.jc('iptables') }}"
+
+    - name: Debug existing iptables rules
+      ansible.builtin.debug:
+        var: icinga_iptables_list.stdout
+        verbosity: 2
+
+    - name: Debug matching iptables rule
+      ansible.builtin.debug:
+        msg: "{{ icinga_iptables | community.general.json_query(icinga_iptables_ipv4_query) }}"
+        verbosity: 2
+
+    - name: Add IPv4 rule to allow connections from the master node to the agent node on port 5665
+      block:
+
+        - name: Set a fact for the IPv4 address of the master node
+          ansible.builtin.set_fact:
+            icinga_master_node_ipv4: "{{ lookup('community.general.dig', icinga_master_node) }}"
+
+        - name: Debug the IPv4 address of the master node
+          ansible.builtin.debug:
+            msg:
+              - "{{ icinga_master_node_ipv4 }}"
+              - "Type {{ icinga_master_node_ipv4 | type_debug }}"
+            verbosity: 2
+
+        - name: Check that the discovered IPv4 address of the master node is a IPv4 address
+          ansible.builtin.assert:
+            that:
+              - icinga_master_node_ipv4 | ansible.utils.ipv4
+              - icinga_master_node_ipv4 | type_debug is regex('str|AnsibleUnicode|AnsibleUnsafeText$')
+              - icinga_master_node_ipv4 is regex('^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$')
+            quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
+
+        - name: Save current IPv4 iptables rules
+          community.general.iptables_state:
+            ip_version: ipv4
+            path: /etc/iptables/rules.v4
+            state: saved
+
+        - name: Check that the he line after the proposed IPv4 iptables rule for Icinga is present
+          block:
+
+            - name: Check that the line after the IPv4 iptables rule for Icinga is present
+              ansible.builtin.lineinfile:
+                path: /etc/iptables/rules.v4
+                line: "{{ icinga_iptables_ipv4_insertbefore }}"
+                state: present
+              check_mode: true
+              register: icinga_iptables_ipv4_insertbefore_check
+              failed_when: icinga_iptables_ipv4_insertbefore_check.changed | bool
+
+          rescue:
+
+            - name: Slurp /etc/iptables/rules.v4
+              ansible.builtin.slurp:
+                src: /etc/iptables/rules.v4
+              register: icinga_iptables_ipv4_b64encoded
+
+            - name: Set a fact for the content of /etc/iptables/rules.v4
+              ansible.builtin.set_fact:
+                # icinga_iptables_ipv4: "{{ icinga_iptables_ipv4_b64encoded['content'] | b64decode }}"
+                icinga_iptables_ipv4_lines: "{{ (icinga_iptables_ipv4_b64encoded['content'] | b64decode ).split('\n') }}"
+
+            - name: Debug /etc/iptables/rules.v4
+              ansible.builtin.debug:
+                var: icinga_iptables_ipv4_lines
+
+            - name: Fail as the line after the proposed IPv4 iptables rule for Icinga is not present
+              ansible.builtin.fail:
+                msg:
+                  - "Please set the `icinga_iptables_ipv4_insertbefore` variable to one of the lines above and then re-run this role."
+                  - "The line to be added is:"
+                  - "{{ icinga_iptables_ipv4_rule }}"
+
+        - name: Add IPv4 iptables rule for Icinga
+          ansible.builtin.lineinfile:
+            path: /etc/iptables/rules.v4
+            line: "{{ icinga_iptables_ipv4_rule }}"
+            insertbefore: "{{ icinga_iptables_ipv4_insertbefore }}"
+            mode: 0644
+
+        - name: Test the modified IPv4 iptables rules for Icinga
+          ansible.builtin.command: iptables-restore --test /etc/iptables/rules.v4
+          check_mode: false
+          changed_when: false
+
+        - name: Check restore modified IPv4 iptables rules when running in check mode
+          community.general.iptables_state:
+            ip_version: ipv4
+            path: /etc/iptables/rules.v4
+            state: restored
+          when: ansible_check_mode | bool
+
+        - name: Restore modified IPv4 iptables rules when not running in check mode
+          community.general.iptables_state:
+            ip_version: ipv4
+            path: /etc/iptables/rules.v4
+            state: restored
+          when: not ansible_check_mode | bool
+          async: "{{ ansible_timeout }}"
+          poll: 0
+
+      when: icinga_iptables | community.general.json_query(icinga_iptables_ipv4_query) != icinga_iptables_ipv4_check_rule
+
+  tags:
+    - icinga
+...