friwall: don’t template settings

Let all settings including list of nodes be managed by application.
Exception is the list of networks instantiated from NetBox data.

roles/collector/README.md

@@ -1,18 +1,19 @@
 Set up metric collection with prometheus and telegraf as the SNMP proxy.
 
-NetBox config context should contain the lists `prometheus_hosts` and `snmp_hosts` with job definitions. Each entry should define `name` and `nb_filter` user to query hosts from NetBox. For example:
+Each entry in `prometheus_config` should define `name`, `hosts` and optionally `interval`. As above, `hosts` is used as a query filter.
+
+For SNMP the properties `snmp_hosts` and optional `snmp_interval` should define respectively the NetBox query filter and poll interval.
+
+For example:
 
     {
-        "prometheus_hosts": [
+        "prometheus_config": [
             {
                 "name": "classroom",
-                "nb_filter": "role=desktop-computer status=active location=classroom"
+                "hosts": "role=desktop-computer status=active location=classroom",
+                "interval": 300
             }
         ],
-        "snmp_hosts": [
+        "snmp_hosts": "role=switch name__isw=sw- status=active status=staged status=planned",
-            {
+        "snmp_interval": 300
-                "name": "switch",
-                "nb_filter": "role=switch name__isw=sw- status=active status=staged status=planned"
-            }
-        ]
     }

roles/collector/tasks/main.yml

@@ -28,7 +28,7 @@
   template:
     dest: "/etc/prometheus/conf.d/{{ item.name }}.yml"
     src: "prometheus-job.yml.j2"
-  loop: "{{ prometheus_hosts }}"
+  loop: "{{ prometheus_config }}"
   loop_control:
     label: "{{ item.name }}"
   notify: reload prometheus

roles/collector/templates/prometheus-job.yml.j2

@@ -1,10 +1,14 @@
-{% set devices = query("netbox.netbox.nb_lookup", "devices", api_filter="{{ item.nb_filter }}", raw_data=true)
+{% set devices = query("netbox.netbox.nb_lookup", "devices", api_filter="{{ item.hosts }}", raw_data=true)
     | selectattr("primary_ip")
     | map(attribute="name")
     | map("extract", hostvars) -%}
 
 scrape_configs:
   - job_name: "{{ item.name }}"
+{% if item.interval is defined %}
+    scrape_interval: {{ item.interval }}s
+    scrape_timeout: {{ item.interval // 5 }}s
+{% endif %}
     relabel_configs:
       - source_labels: [__address__]
         regex: '([^.]+).*'

roles/collector/templates/snmp.conf.j2

@@ -1,13 +1,13 @@
 [[inputs.snmp]]
-  interval = "300s"
+{% if snmp_interval is defined %}
+  interval = "{{ snmp_interval }}s"
+{% endif %}
   agent_host_tag = "source"
   agents = [
-{% for item in snmp_hosts %}
+{% for address in query("netbox.netbox.nb_lookup", "devices", api_filter=snmp_hosts, raw_data=true)
-{% for address in query("netbox.netbox.nb_lookup", "devices", api_filter=item.nb_filter, raw_data=true)
     | selectattr("primary_ip4") | map(attribute="primary_ip4.address")
-    | ipaddr("address") %}
+    | ipaddr("int") | sort | ipaddr("address") %}
     "{{ address }}",
-{% endfor %}
 {% endfor %}
   ]
   version = 3

roles/debian/tasks/main.yml

@@ -39,8 +39,9 @@
       - git
       - ifupdown2
       - rsync
-      - vim
       - tmux
+      - vim
+      - wget
 
 # for base Debian the main interfaces file is just an include
 - name: Remove interface definitions added by installer

roles/friwall/README.md

@@ -0,0 +1 @@
+Install and configure the [FRIwall](https://git.fri.uni-lj.si/rc/friwall) web application for managing firewall nodes. For settings and operation refer to that project.

roles/friwall/tasks/main.yml

@@ -38,17 +38,18 @@
     extra_args: --user --break-system-packages --no-warn-script-location
   notify: restart uwsgi
 
-- name: Configure base settings
+- name: Ensure setting files exist
-  template:
+  copy:
-    dest: "/srv/friwall/{{ item }}"
+    dest: "/srv/friwall/{{ item }}.json"
-    src: "{{ item }}.j2"
+    content: |
+      {}
     owner: friwall
     group: friwall
     mode: 0600
     force: no
   loop:
-    - nodes.json
+    - nodes
-    - settings.json
+    - settings
   notify: restart uwsgi
 
 - name: Configure list of networks

roles/friwall/templates/interfaces.j2

@@ -1,14 +0,0 @@
-auto lo
-iface lo inet loopback
-
-{% for iface in interfaces %}
-auto {{ iface.name }}
-iface {{ iface.name }} inet static
-{% for address in iface.ip_addresses %}
-    address {{ address.address }}
-{% endfor %}
-{% if iface.custom_fields.gateway %}
-    gateway {{ iface.custom_fields.gateway.address | ipaddr('address') }}
-{% endif %}
-
-{% endfor %}

roles/friwall/templates/nodes.json.j2

@@ -1,11 +0,0 @@
-{% set nodes = query('netbox.netbox.nb_lookup', 'devices', api_filter='role=firewall', raw_data=true)
-    | selectattr('config_context') | selectattr('config_context', 'contains', 'master')
-    | selectattr('config_context.master', '==', inventory_hostname)
-    | map(attribute='name') -%}
-
-{
-{% for node in nodes %}
-  "{{ hostvars[node] | device_address | selectattr('family.value', '==', 4)
-          | map(attribute='address') | ipaddr('address') | first }}": -1{{ '' if loop.last else ',' }}
-{% endfor %}
-}

roles/friwall/templates/settings.json.j2

@@ -1,10 +0,0 @@
-{
-  "ldap_host": "{{ domain }}",
-  "ldap_user": "{{ password.ldap_user }}",
-  "ldap_pass": "{{ password.ldap_pass }}",
-  "ldap_base_dn": "{{ ldap_base_dn }}",
-  "oidc_server": "{{ password.oidc_server }}",
-  "oidc_client_id": "{{ password.oidc_client_id }}",
-  "oidc_client_secret": "{{ password.oidc_client_secret }}",
-  "wg_net": "{{ wg_net }}"
-}