Rework service handling

Allow running playbooks without NetBox access. Mainly to bootstrap NetBox itself. Would prefer not to access network from filter plugins, so maybe do that at some point also.
2024-06-19 13:33:32 +02:00 · 2024-06-19 13:33:32 +02:00 · 29598ef4bb
commit 29598ef4bb
parent 38c3464279
5 changed files with 34 additions and 27 deletions
--- a/roles/alpine/templates/local.nft.j2
+++ b/roles/alpine/templates/local.nft.j2
@ -7,7 +7,9 @@ table inet filter {
 {% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
 {% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
 {% set ports = service.ports | compact_numlist %}
+{% if 'name' in service %}
        # service {{ service.name }}
+{% endif %}
 {% if prefixes4 or prefixes6 %}
 {% if prefixes4 %}
        ip saddr { {{ prefixes4 | join(', ') }} } tcp dport { {{ ports }} } accept
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@ -54,7 +54,7 @@ table inet filter {
        ip saddr @allowed accept # TODO remove exceptions
        ip6 saddr @allowed/6 accept # TODO remove exceptions

-{% for service in cluster.custom_fields.services %}
+{% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
 {% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
--- a/roles/facts/tasks/main.yml
+++ b/roles/facts/tasks/main.yml
@ -1,18 +1,21 @@
 # Make expensive lookups to NetBox once for later reference by any host.
- name: Lookup networks and prefixes
-  set_fact:
-    vlans: '{{ query("netbox.netbox.nb_lookup", "vlans", api_filter="group=new-net", raw_data=true)
-        | sort(attribute="vid") }}'
-    prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
-        | sort(attribute="prefix") | sort(attribute="family.value") }}'
+- when: lookup("env", "NETBOX_API") != ""
+  block:
+    - name: Lookup networks and prefixes
+      set_fact:
+        vlans: '{{ query("netbox.netbox.nb_lookup", "vlans", api_filter="group=new-net", raw_data=true)
+            | sort(attribute="vid") }}'
+        prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
+            | sort(attribute="prefix") | sort(attribute="family.value") }}'

- name: Get my cluster and all nodes in it
-  set_fact:
-    cluster: '{{ query("netbox.netbox.nb_lookup", "clusters", raw_data=true, api_filter="name="+cluster) | first }}'
-    nodes: '{{ groups["cluster_"+cluster] | map("extract", hostvars) | rejectattr("is_virtual") }}'
-  when: cluster
+    - when: 'cluster is defined'
+      block:
+        - name: Get my cluster and all nodes in it
+          set_fact:
+            cluster: '{{ query("netbox.netbox.nb_lookup", "clusters", raw_data=true, api_filter="name="+cluster) | first }}'
+            nodes: '{{ groups["cluster_"+cluster] | map("extract", hostvars) | rejectattr("is_virtual") }}'

- name: Get my domain names if any
-  set_fact:
-    fqdns: '{{ interfaces | map(attribute="ip_addresses") | flatten
-        | map(attribute="dns_name") | reject("==", "") | sort | unique }}'
+        - name: Get cluster services
+          set_fact:
+            cluster_services: '{{ (cluster_services|default([])) + query("netbox.netbox.nb_lookup", "services", raw_data=true, api_filter="id="+item) }}'
+          loop: '{{ cluster.custom_fields.services | map(attribute="id") | map("string") }}'
--- a/roles/proxmox/templates/cluster.fw.j2
+++ b/roles/proxmox/templates/cluster.fw.j2
@ -8,16 +8,16 @@ IN Ping(ACCEPT) -log nolog # don’t be rude
 IN SSH(ACCEPT) -i mgmt # for ansible etc.
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
-{% for service in cluster.custom_fields.services %}
+{% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
 {% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}
 {% if prefixes4 %}
-IN ACCEPT -source {{ prefixes4 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
+IN ACCEPT -source {{ prefixes4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
 {% if prefixes6 %}
-IN ACCEPT -source {{ prefixes6 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
+IN ACCEPT -source {{ prefixes6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
 {% endfor %}