From 4f897d37f5df153ccbe8006266bbfb74f131dac7 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 9 Feb 2018 16:57:14 +0100
Subject: [PATCH] Server: Configure firewalld by default, new switch:
ipaserver_no_firewalld
A new section has been added to configure firewalld automatically as the
last step of the server installation.
A new switch has been added to be able to turn firewalld configuration off:
ipaserver_no_firewalld. It defaults to no.
---
roles/ipaserver/defaults/main.yml | 2 ++
roles/ipaserver/tasks/install.yml | 19 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/roles/ipaserver/defaults/main.yml b/roles/ipaserver/defaults/main.yml
index 79f61c2f..b2ff174c 100644
--- a/roles/ipaserver/defaults/main.yml
+++ b/roles/ipaserver/defaults/main.yml
@@ -30,6 +30,8 @@ ipaserver_no_dnssec_validation: no
### ad trust ###
ipaserver_enable_compat: no
ipaserver_setup_ca: yes
+### firewalld ###
+ipaserver_no_firewalld: no
### additional ###
ipaserver_allow_missing: [ ]
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index de914c8b..a08c40f7 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -361,3 +361,22 @@
path: "/root/.ipa_cache"
state: absent
when: result_ipaserver_enable_ipa.changed
+
+ - name: Install - Configure firewalld
+ command: >
+ firewall-cmd
+ --permanent
+ --add-service=freeipa-ldap
+ --add-service=freeipa-ldaps
+ {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+ {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
+ when: not ipaserver_no_firewalld | bool
+
+ - name: Install - Configure firewalld runtime
+ command: >
+ firewall-cmd
+ --add-service=freeipa-ldap
+ --add-service=freeipa-ldaps
+ {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+ {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
+ when: not ipaserver_no_firewalld | bool
--
GitLab