Merge pull request #11 from id-unibe-ch/10-remove-firewalld-configura…

…tion Remove firewall configuration feature
id-unibe-ch · May 8, 2024 · 5999cc5 · 5999cc5
2 parents 06fde6d + 50ceec5
commit 5999cc5
Show file tree

Hide file tree

Showing 9 changed files with 8 additions and 107 deletions.
diff --git a/README.md b/README.md
@@ -10,6 +10,12 @@ features:
   [role variables](#role-variables)
 * Support global known hosts files for ssh clients (`/etc/ssh/ssh_config`)
 
+> [!NOTE]
+> This role does NOT include firewall configuration. If your system is
+> protected by a firewall, which it probably should, you need to manage the
+> respective firewall rules independently, e.g. in the playbook that
+> includes or imports this role.
+
 ## Requirements
 
 No prerequisites necessary at the moment.
@@ -27,19 +33,11 @@ Specifies whether the sshd service should be managed by this role or not.
 Usually this is left to true, but might be temporarily set to false when this is
 needed.
 
-### ssh_manage_firewall
-
-    ssh_manage_firewall: false
-
-Specifies whether to manage the firewall using `ansible.posix.firwalld` or not.
-This a soft dependency. If you want to use it, either use the full Ansible
-package or add the collection `ansible.posix` to your `requirements.yml`!
-
 ### ssh_manage_motd_file
 
     ssh_manage_motd_file: false
 
-Specifies wether to craft a custom `/etc/motd` file showing some system
+Specifies whether to craft a custom `/etc/motd` file showing some system
 informations like OS name/version, IP addresses and CPU and memory information.
 If set to false, the file `/etc/motd` is not modified, if set to true the file
 is managed an updated if needed.
@@ -208,16 +206,6 @@ This role configures only secure algorithms by default in order to have
 authentication code algorithms that this role defines by defaults. See
 `vars/*.yml` for details.
 
-### ssh_firewalld_zone
-
-    ssh_firewalld_zone: ''
-
-This role can optionally configure a specific firewalld zone
-(if `ssh_manage_firewall` is `true`) for which the ssh service is allowed.
-By default the zone is omitted and the firewalld defaults are used.
-See [firewalld documentation](https://firewalld.org/documentation/zone/default-zone.html)
-for details.
-
 ## Example Playbook
 
 Including an example of how to use your role (for instance, with variables
@@ -241,8 +229,7 @@ This role has been written for and tested on and is therefore compatible with:
 
 ## Dependencies
 
-This role has a soft dependency on the collection `ansible.posix` if you set
-`ssh_manage_firewall` to true.
+This role has no dependencies.
 
 ## License
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,8 +2,6 @@
 
 # Should the sshd service be managed by this role
 ssh_manage_sshd: true
-# Shoud this role open the SSH port in the firewall
-ssh_manage_firewall: false
 # Should this role setup a custom /etc/motd file
 ssh_manage_motd_file: false
 
@@ -43,6 +41,3 @@ ssh_crypto_hostkey_algos: []
 ssh_crypto_kex_algos: []
 ssh_crypto_ciphers: []
 ssh_crypto_macs: []
-
-## Firewalld-related configuration options
-ssh_firewalld_zone: ''
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,12 +1,6 @@
 ---
 # handlers file for ssh
 #
-- name: Reload firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: reloaded
-  listen: reload-firewall
-
 - name: Restart sshd service
   ansible.builtin.systemd:
     name: sshd

diff --git a/molecule/custom/prepare.yml b/molecule/custom/prepare.yml
@@ -8,22 +8,6 @@
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: Install firewalld dependencies
-      ansible.builtin.package:
-        name: netbase
-      when: ansible_os_family == "Debian"
-
-    - name: Install firewalld
-      ansible.builtin.package:
-        name: firewalld
-        state: present
-
-    - name: Enable firewalld
-      ansible.builtin.systemd:
-        name: firewalld
-        enabled: true
-        state: started
-
     - name: Install ssh client
       ansible.builtin.package:
         name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}"

diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -8,22 +8,6 @@
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: Install firewalld dependencies
-      ansible.builtin.package:
-        name: netbase
-      when: ansible_os_family == "Debian"
-
-    - name: Install firewalld
-      ansible.builtin.package:
-        name: firewalld
-        state: present
-
-    - name: Enable firewalld
-      ansible.builtin.systemd:
-        name: firewalld
-        enabled: true
-        state: started
-
     - name: Install ssh client
       ansible.builtin.package:
         name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}"

diff --git a/molecule/knownhosts/prepare.yml b/molecule/knownhosts/prepare.yml
@@ -8,22 +8,6 @@
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: Install firewalld dependencies
-      ansible.builtin.package:
-        name: netbase
-      when: ansible_os_family == "Debian"
-
-    - name: Install firewalld
-      ansible.builtin.package:
-        name: firewalld
-        state: present
-
-    - name: Enable firewalld
-      ansible.builtin.systemd:
-        name: firewalld
-        enabled: true
-        state: started
-
     - name: Install ssh client
       ansible.builtin.package:
         name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}"

diff --git a/tasks/firewall.yml b/tasks/firewall.yml
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -19,7 +19,3 @@
 - name: Manage MOTD
   ansible.builtin.include_tasks: motd.yml
   when: ssh_manage_motd_file | bool
-
-- name: Manage firewalld
-  ansible.builtin.include_tasks: firewall.yml
-  when: ssh_manage_firewall | bool
diff --git a/templates/ssh.xml.j2 b/templates/ssh.xml.j2