Initial commit, squashed

roles/firewall_master/tasks/mail.yml

@@ -0,0 +1,9 @@
+- name: Install mail server
+  package:
+    name: opensmtpd
+
+- name: Enable mail server
+  service:
+    name: smtpd
+    enabled: yes
+    state: started

roles/firewall_master/tasks/main.yml

@@ -0,0 +1,42 @@
+- name: Set up network interfaces
+  template:
+    dest: /etc/network/interfaces
+    src: interfaces.j2
+    mode: 0644
+  notify: restart interfaces
+
+- name: Install nftables
+  package:
+    name: nftables
+
+- name: Accept connections from FRI addresses
+  copy:
+    dest: /etc/nftables.d/
+    src: accept-fri.nft
+  notify: reload nftables
+
+- name: Enable nftables
+  service:
+    name: nftables
+    enabled: yes
+    state: started
+
+- name: Install qemu guest agent
+  package:
+    name: qemu-guest-agent
+
+- name: Enable qemu guest agent
+  service:
+    name: qemu-guest-agent
+    enabled: yes
+    runlevel: boot
+    state: started
+
+- name: Set up mail server
+  import_tasks: mail.yml
+
+- name: Set up friwall user
+  import_tasks: user.yml
+
+- name: Set up web UI
+  import_tasks: web.yml

roles/firewall_master/tasks/user.yml

@@ -0,0 +1,14 @@
+- name: Create friwall group
+  group:
+    name: friwall
+    system: yes
+
+- name: Create friwall user
+  user:
+    name: friwall
+    system: yes
+    home: /srv/friwall
+    shell: /sbin/nologin
+    generate_ssh_key: yes
+    ssh_key_comment: "{{ inventory_hostname }}"
+    ssh_key_type: ed25519

roles/firewall_master/tasks/web.yml

@@ -0,0 +1,110 @@
+---
+- name: Install packages
+  package:
+    name: git,inotify-tools,nginx,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools
+
+- name: Clone web files
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: "-s /bin/sh"
+  git:
+    repo: "{{ friwall_repo }}"
+    dest: /srv/friwall/app
+    force: yes
+  notify: reload uwsgi
+
+- name: Install requirements
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: '-s /bin/sh'
+  pip:
+    requirements: /srv/friwall/app/requirements.txt
+    extra_args: --user
+
+- name: Configure base settings
+  template:
+    dest: "/srv/friwall/{{ item }}"
+    src: "{{ item }}.j2"
+    owner: friwall
+    group: friwall
+    mode: 0600
+    force: no
+  loop:
+    - nodes.json
+    - settings.json
+  notify: restart uwsgi
+
+- name: Configure list of networks
+  template:
+    dest: "/srv/friwall/networks.json"
+    src: "networks.json.j2"
+    owner: friwall
+    group: friwall
+    mode: 0600
+
+- name: Configure uwsgi
+  copy:
+    dest: /etc/uwsgi/
+    src: uwsgi.ini
+  notify: restart uwsgi
+
+- name: Configure uwsgi instance
+  copy:
+    dest: /etc/uwsgi/conf.d/
+    src: friwall.ini
+    owner: friwall
+    group: friwall
+
+- name: Enable uwsgi
+  service:
+    name: uwsgi
+    enabled: yes
+    state: started
+
+- name: Configure nginx instance
+  template:
+    dest: /etc/nginx/http.d/friwall.conf
+    src: nginx.conf.j2
+  notify: reload nginx
+
+- name: Run nginx in default VRF
+  lineinfile:
+    path: /etc/conf.d/nginx
+    line: "vrf=\"default\""
+  notify: restart nginx
+
+- name: Enable nginx
+  service:
+    name: nginx
+    enabled: yes
+    state: started
+
+- name: Install config pusher initscript
+  copy:
+    dest: /etc/init.d/pusher
+    src: pusher.initd
+    mode: 0755
+  notify: restart pusher
+
+- name: Enable config pusher service
+  service:
+    name: pusher
+    enabled: true
+    state: started
+
+- name: Regenerate config daily
+  cron:
+    name: "regenerate config"
+    job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
+    user: friwall
+    hour: "3"
+    minute: "33"
+
+- name: Try (re-)pushing config periodically
+  cron:
+    name: "push config"
+    job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
+    user: friwall
+    minute: "*/15"