Import friwall role from network ansible scripts

To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:01:47 +02:00 · 2024-07-04 15:01:47 +02:00 · 973522c373
commit 973522c373
parent bacfc66f7c
14 changed files with 249 additions and 1 deletions
--- a/roles/friwall/templates/interfaces.j2
+++ b/roles/friwall/templates/interfaces.j2
@ -0,0 +1,14 @@
+auto lo
+iface lo inet loopback
+
+{% for iface in interfaces %}
+auto {{ iface.name }}
+iface {{ iface.name }} inet static
+{% for address in iface.ip_addresses %}
+    address {{ address.address }}
+{% endfor %}
+{% if iface.custom_fields.gateway %}
+    gateway {{ iface.custom_fields.gateway.address | ipaddr('address') }}
+{% endif %}
+
+{% endfor %}
--- a/roles/friwall/templates/networks.json.j2
+++ b/roles/friwall/templates/networks.json.j2
@ -0,0 +1,10 @@
+{
+{% for vlan, addrs in prefixes | selectattr('vrf')
+        | selectattr('vlan') | selectattr('vlan.id', 'in', vlans|map(attribute='id'))
+        | sort(attribute='vlan.vid') | groupby('vlan.vid') %}
+  "{{ addrs[0].vlan.name }}": {
+    "ip": {{ addrs | selectattr('family.value', '==', 4) | map(attribute='prefix') | to_json }},
+    "ip6": {{ addrs | selectattr('family.value', '==', 6) | map(attribute='prefix') | to_json }}
+  }{% if not loop.last %},{% endif +%}
+{% endfor %}
+}
--- a/roles/friwall/templates/nginx.conf.j2
+++ b/roles/friwall/templates/nginx.conf.j2
@ -0,0 +1,13 @@
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name {{ dns_name }};
+
+	ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem;
+
+	location / {
+		uwsgi_pass unix:/run/friwall.socket;
+		include uwsgi_params;
+	}
+}
--- a/roles/friwall/templates/nodes.json.j2
+++ b/roles/friwall/templates/nodes.json.j2
@ -0,0 +1,11 @@
+{% set nodes = query('netbox.netbox.nb_lookup', 'devices', api_filter='role=firewall', raw_data=true)
+    | selectattr('config_context') | selectattr('config_context', 'contains', 'master')
+    | selectattr('config_context.master', '==', inventory_hostname)
+    | map(attribute='name') -%}
+
+{
+{% for node in nodes %}
+  "{{ hostvars[node] | device_address | selectattr('family.value', '==', 4)
+          | map(attribute='address') | ipaddr('address') | first }}": -1{{ '' if loop.last else ',' }}
+{% endfor %}
+}
--- a/roles/friwall/templates/settings.json.j2
+++ b/roles/friwall/templates/settings.json.j2
@ -0,0 +1,10 @@
+{
+  "ldap_host": "{{ domain }}",
+  "ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}",
+  "ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}",
+  "ldap_base_dn": "{{ ldap_base_dn }}",
+  "oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}",
+  "oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}",
+  "oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}",
+  "wg_net": "{{ wg_net }}"
+}