ipa[server,replica]: New variables to set firewalld zone

The new variables ipa[server,replica]_firewalld_zone have been added to be able to set the zone in which the needed services for IPA are enabled. New tasks have been added to check if the zone is available in the runtime and also permamanet environment. The code to enable firewalld has been moved out of thee ipa[server,replica]_install_packages blocks to make sure that the firewalld service is also enabled if the package is already installed. Fixes: issue #177 (How to set up firewalld zones?)
2026-05-14 21:42:17 +00:00 · 2020-09-08 10:57:27 +02:00
parent 8e664157dd
commit a7e532a4dc
4 changed files with 48 additions and 5 deletions
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -250,7 +250,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipareplica_install_packages` | The bool value defines if the needed packages are installed on the node. (bool, default: true) | no
 `ipareplica_setup_firewalld` | The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no
-
+`ipareplica_firewalld_zone` | The value defines the firewall zone that will be used. This needs to be an existing runtime and permanent zone. (string) | no

 Authors
 =======
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -26,14 +26,31 @@
      state: present
    when: ipareplica_setup_firewalld | bool

+  when: ipareplica_install_packages | bool
+
+- block:
  - name: Firewalld service - Ensure that firewalld is running
    systemd:
      name: firewalld
      enabled: yes
      state: started
-    when: ipareplica_setup_firewalld | bool

-  when: ipareplica_install_packages | bool
+  - name: Firewalld - Verify runtime zone "{{ ipareplica_firewalld_zone }}"
+    shell: >
+      firewall-cmd
+      --info-zone="{{ ipareplica_firewalld_zone }}"
+      >/dev/null
+    when: ipareplica_firewalld_zone is defined
+
+  - name: Firewalld - Verify permanent zone "{{ ipareplica_firewalld_zone }}"
+    shell: >
+      firewall-cmd
+      --permanent
+      --info-zone="{{ ipareplica_firewalld_zone }}"
+      >/dev/null
+    when: ipareplica_firewalld_zone is defined
+
+  when: ipareplica_setup_firewalld | bool

 #- name: Install - Include Python2/3 import test
 #  import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
@@ -109,6 +126,8 @@
    command: >
      firewall-cmd
      --permanent
+      --zone="{{ ipareplica_firewalld_zone if ipareplica_firewalld_zone is
+         defined else '' }}"
      --add-service=freeipa-ldap
      --add-service=freeipa-ldaps
      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
@@ -120,6 +139,8 @@
  - name: Install - Configure firewalld runtime
    command: >
      firewall-cmd
+      --zone="{{ ipareplica_firewalld_zone if ipareplica_firewalld_zone is
+         defined else '' }}"
      --add-service=freeipa-ldap
      --add-service=freeipa-ldaps
      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust