From 8be55c2bde24af33ee893dfd419fcf5ea1209f56 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Fri, 5 Apr 2024 06:12:58 +0200
Subject: [PATCH] ceph: set up firewall

Still need to drop the hardcoded allowed set.
---
 roles/ceph/tasks/firewall.yml         |  4 ++++
 roles/ceph/templates/nftables.conf.j2 | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/roles/ceph/tasks/firewall.yml b/roles/ceph/tasks/firewall.yml
index be12d9b..22f0a21 100644
--- a/roles/ceph/tasks/firewall.yml
+++ b/roles/ceph/tasks/firewall.yml
@@ -1,3 +1,7 @@
+- name: Retrieve service list
+  set_fact:
+    services: '{{ query("netbox.netbox.nb_lookup", "clusters", raw_data=true, api_filter="name="+cluster) | map(attribute="custom_fields.services") | flatten }}'
+
 - name: Install nftables
   package:
     name: nftables
diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index b7e0e25..d686cfd 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -51,6 +51,21 @@ table inet filter {
         ip saddr @cluster accept comment "accept connections from other nodes"
         ip6 saddr @cluster/6 accept comment "accept connections from other nodes"
 
+{% for service in services %}
+{% set prefixes = service | allowed_prefixes %}
+{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
+{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
+{% set ports = service.ports | compact_numlist %}
+        # service {{ service.name }}
+{% if prefixes4 %}
+        ip saddr { {{ prefixes4 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+{% if prefixes6 %}
+        ip6 saddr { {{ prefixes6 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+
+{% endfor %}
+
         ip saddr @allowed accept
         ip6 saddr @allowed/6 accept
     }