From 50ceec51df0f766521a9e145d0a037b7b613b623 Mon Sep 17 00:00:00 2001 From: Michael Rolli Date: Tue, 30 Apr 2024 05:30:33 +0200 Subject: [PATCH] feat!: remove firewall configuration feature In line with the Ansible team decision that firewall configuration is not a concern of a general Ansible role, this change now reverts the firwealld configuration feature again. Fixes #10 --- README.md | 29 ++++++++--------------------- defaults/main.yml | 5 ----- handlers/main.yml | 6 ------ molecule/custom/prepare.yml | 16 ---------------- molecule/default/prepare.yml | 16 ---------------- molecule/knownhosts/prepare.yml | 16 ---------------- tasks/firewall.yml | 17 ----------------- tasks/main.yml | 4 ---- templates/ssh.xml.j2 | 6 ------ 9 files changed, 8 insertions(+), 107 deletions(-) delete mode 100644 tasks/firewall.yml delete mode 100644 templates/ssh.xml.j2 diff --git a/README.md b/README.md index 0cc8387..b157180 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,12 @@ features: [role variables](#role-variables) * Support global known hosts files for ssh clients (`/etc/ssh/ssh_config`) +> [!NOTE] +> This role does NOT include firewall configuration. If your system is +> protected by a firewall, which it probably should, you need to manage the +> respective firewall rules independently, e.g. in the playbook that +> includes or imports this role. + ## Requirements No prerequisites necessary at the moment. @@ -27,19 +33,11 @@ Specifies whether the sshd service should be managed by this role or not. Usually this is left to true, but might be temporarily set to false when this is needed. -### ssh_manage_firewall - - ssh_manage_firewall: false - -Specifies whether to manage the firewall using `ansible.posix.firwalld` or not. -This a soft dependency. If you want to use it, either use the full Ansible -package or add the collection `ansible.posix` to your `requirements.yml`! - ### ssh_manage_motd_file ssh_manage_motd_file: false -Specifies wether to craft a custom `/etc/motd` file showing some system +Specifies whether to craft a custom `/etc/motd` file showing some system informations like OS name/version, IP addresses and CPU and memory information. If set to false, the file `/etc/motd` is not modified, if set to true the file is managed an updated if needed. @@ -208,16 +206,6 @@ This role configures only secure algorithms by default in order to have authentication code algorithms that this role defines by defaults. See `vars/*.yml` for details. -### ssh_firewalld_zone - - ssh_firewalld_zone: '' - -This role can optionally configure a specific firewalld zone -(if `ssh_manage_firewall` is `true`) for which the ssh service is allowed. -By default the zone is omitted and the firewalld defaults are used. -See [firewalld documentation](https://firewalld.org/documentation/zone/default-zone.html) -for details. - ## Example Playbook Including an example of how to use your role (for instance, with variables @@ -241,8 +229,7 @@ This role has been written for and tested on and is therefore compatible with: ## Dependencies -This role has a soft dependency on the collection `ansible.posix` if you set -`ssh_manage_firewall` to true. +This role has no dependencies. ## License diff --git a/defaults/main.yml b/defaults/main.yml index 8cbb85a..e683f66 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,8 +2,6 @@ # Should the sshd service be managed by this role ssh_manage_sshd: true -# Shoud this role open the SSH port in the firewall -ssh_manage_firewall: false # Should this role setup a custom /etc/motd file ssh_manage_motd_file: false @@ -43,6 +41,3 @@ ssh_crypto_hostkey_algos: [] ssh_crypto_kex_algos: [] ssh_crypto_ciphers: [] ssh_crypto_macs: [] - -## Firewalld-related configuration options -ssh_firewalld_zone: '' diff --git a/handlers/main.yml b/handlers/main.yml index a9de7bf..f2f0afa 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,12 +1,6 @@ --- # handlers file for ssh # -- name: Reload firewalld service - ansible.builtin.systemd: - name: firewalld - state: reloaded - listen: reload-firewall - - name: Restart sshd service ansible.builtin.systemd: name: sshd diff --git a/molecule/custom/prepare.yml b/molecule/custom/prepare.yml index 077a0ae..394919d 100644 --- a/molecule/custom/prepare.yml +++ b/molecule/custom/prepare.yml @@ -8,22 +8,6 @@ update_cache: true when: ansible_os_family == 'Debian' - - name: Install firewalld dependencies - ansible.builtin.package: - name: netbase - when: ansible_os_family == "Debian" - - - name: Install firewalld - ansible.builtin.package: - name: firewalld - state: present - - - name: Enable firewalld - ansible.builtin.systemd: - name: firewalld - enabled: true - state: started - - name: Install ssh client ansible.builtin.package: name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}" diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 077a0ae..394919d 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -8,22 +8,6 @@ update_cache: true when: ansible_os_family == 'Debian' - - name: Install firewalld dependencies - ansible.builtin.package: - name: netbase - when: ansible_os_family == "Debian" - - - name: Install firewalld - ansible.builtin.package: - name: firewalld - state: present - - - name: Enable firewalld - ansible.builtin.systemd: - name: firewalld - enabled: true - state: started - - name: Install ssh client ansible.builtin.package: name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}" diff --git a/molecule/knownhosts/prepare.yml b/molecule/knownhosts/prepare.yml index 077a0ae..394919d 100644 --- a/molecule/knownhosts/prepare.yml +++ b/molecule/knownhosts/prepare.yml @@ -8,22 +8,6 @@ update_cache: true when: ansible_os_family == 'Debian' - - name: Install firewalld dependencies - ansible.builtin.package: - name: netbase - when: ansible_os_family == "Debian" - - - name: Install firewalld - ansible.builtin.package: - name: firewalld - state: present - - - name: Enable firewalld - ansible.builtin.systemd: - name: firewalld - enabled: true - state: started - - name: Install ssh client ansible.builtin.package: name: "{{ 'openssh-clients' if (ansible_os_family == 'RedHat') else 'openssh-client' }}" diff --git a/tasks/firewall.yml b/tasks/firewall.yml deleted file mode 100644 index f2867f9..0000000 --- a/tasks/firewall.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Configure ssh port in firewalld service - ansible.builtin.template: - src: ssh.xml.j2 - dest: /etc/firewalld/services/ssh.xml - owner: root - group: root - mode: '0644' - notify: reload-firewall - -- name: Permit ssh traffic in default zone - ansible.posix.firewalld: - service: ssh - permanent: true - immediate: true - zone: "{{ ssh_firewalld_zone | default(omit, true) }}" - state: enabled diff --git a/tasks/main.yml b/tasks/main.yml index c750081..b73cfd3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -19,7 +19,3 @@ - name: Manage MOTD ansible.builtin.include_tasks: motd.yml when: ssh_manage_motd_file | bool - -- name: Manage firewalld - ansible.builtin.include_tasks: firewall.yml - when: ssh_manage_firewall | bool diff --git a/templates/ssh.xml.j2 b/templates/ssh.xml.j2 deleted file mode 100644 index c2c82c9..0000000 --- a/templates/ssh.xml.j2 +++ /dev/null @@ -1,6 +0,0 @@ - - - SSH - Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful. - -