ipa[server,replica]: New variables to set firewalld zone

The new variables ipa[server,replica]_firewalld_zone have been added to be able to set the zone in which the needed services for IPA are enabled. New tasks have been added to check if the zone is available in the runtime and also permamanet environment. The code to enable firewalld has been moved out of thee ipa[server,replica]_install_packages blocks to make sure that the firewalld service is also enabled if the package is already installed. Fixes: issue #177 (How to set up firewalld zones?)
2026-05-14 13:32:10 +00:00 · 2020-09-08 10:57:27 +02:00
parent 8e664157dd
commit a7e532a4dc
4 changed files with 48 additions and 5 deletions
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -25,14 +25,31 @@
      state: present
    when: ipaserver_setup_firewalld | bool

+  when: ipaserver_install_packages | bool
+
+- block:
  - name: Firewalld service - Ensure that firewalld is running
    systemd:
      name: firewalld
      enabled: yes
      state: started
-    when: ipaserver_setup_firewalld | bool

-  when: ipaserver_install_packages | bool
+  - name: Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"
+    shell: >
+      firewall-cmd
+      --info-zone="{{ ipaserver_firewalld_zone }}"
+      >/dev/null
+    when: ipaserver_firewalld_zone is defined
+
+  - name: Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"
+    shell: >
+      firewall-cmd
+      --permanent
+      --info-zone="{{ ipaserver_firewalld_zone }}"
+      >/dev/null
+    when: ipaserver_firewalld_zone is defined
+
+  when: ipaserver_setup_firewalld | bool

 #- name: Install - Include Python2/3 import test
 #  import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
@@ -428,6 +445,8 @@
      command: >
        firewall-cmd
        --permanent
+        --zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
+           defined else '' }}"
        --add-service=freeipa-ldap
        --add-service=freeipa-ldaps
        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
@@ -439,6 +458,8 @@
    - name: Install - Configure firewalld runtime
      command: >
        firewall-cmd
+        --zone="{{ ipaserver_firewalld_zone if ipaserver_firewalld_zone is
+           defined else '' }}"
        --add-service=freeipa-ldap
        --add-service=freeipa-ldaps
        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool