Browse Source
feat: allow the creation of application files for UFW in applications.d
Instead of getting a limited set of files you can now control in the pillar the creation of new applications and use them in the same state file.pull/30/head
Matthieu Patou
2 years ago
5 changed files with 53 additions and 0 deletions
+ 10
- 0
pillar.example
View File
| Postgresql: | Postgresql: | ||||
| deny: true | deny: true | ||||
| RSPAMD-milter: | |||||
| enabled: true | |||||
| applications_files: | |||||
| ufw-rspamd: | |||||
| RSPAMD-milter: | |||||
| title: Rspamd milter | |||||
| description: Rspamd port for milter (mail filter) connection from STMP mail process | |||||
| ports: 11332/tcp | |||||
| # Allow all traffic in on the specified interface | # Allow all traffic in on the specified interface | ||||
| interfaces: | interfaces: | ||||
| eth1: | eth1: |
+ 5
- 0
ufw/config/applications.sls
View File
| {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | ||||
| {%- set to_addr = app_details.get('to_addr', None) %} | {%- set to_addr = app_details.get('to_addr', None) %} | ||||
| {%- set comment = app_details.get('comment', None) %} | {%- set comment = app_details.get('comment', None) %} | ||||
| {%- set require = app_details.get('require', None) %} | |||||
| {%- if from_addr is not none %} | {%- if from_addr is not none %} | ||||
| ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}: | ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}: | ||||
| {%- if comment is not none and salt['grains.get']('osfinger') != 'Debian-8' and salt['grains.get']('osfinger') != 'CentOS-6' %} | {%- if comment is not none and salt['grains.get']('osfinger') != 'Debian-8' and salt['grains.get']('osfinger') != 'CentOS-6' %} | ||||
| - comment: '"{{ comment }}"' | - comment: '"{{ comment }}"' | ||||
| {%- endif %} | {%- endif %} | ||||
| {%- if require %} | |||||
| - require: | |||||
| - file: ufw-file-app-{{ require }} | |||||
| {%- endif %} | |||||
| {%- if enabled %} | {%- if enabled %} | ||||
| - listen_in: | - listen_in: | ||||
| - cmd: reload-ufw | - cmd: reload-ufw |
+ 15
- 0
ufw/config/file.sls
View File
| - context: | - context: | ||||
| ufw_sysctl: {{ ufw.sysctl | json }} | ufw_sysctl: {{ ufw.sysctl | json }} | ||||
| {% if ufw.get('applications_files') %} | |||||
| {% for filename, config in ufw.get('applications_files').items() %} | |||||
| ufw-file-app-{{ filename }}: | |||||
| file.managed: | |||||
| - name: /etc/ufw/applications.d/{{ filename }} | |||||
| - user: root | |||||
| - group: root | |||||
| - mode: 644 | |||||
| - template: jinja | |||||
| - source: salt://ufw/files/application.tmpl.jinja | |||||
| - context: | |||||
| config: {{ config | json }} | |||||
| {% endfor %} | |||||
| {% else %} | |||||
| /etc/ufw/applications.d: | /etc/ufw/applications.d: | ||||
| file.recurse: | file.recurse: | ||||
| - user: root | - user: root | ||||
| - file_mode: 644 | - file_mode: 644 | ||||
| - clean: False | - clean: False | ||||
| - source: salt://ufw/files/applications.d | - source: salt://ufw/files/applications.d | ||||
| {% endif %} |
+ 9
- 0
ufw/files/application.tmpl.jinja
View File
| {%- for app_name, app_config in config.items() %} | |||||
| {%- set app_title=app_config.get('title', app_name) %} | |||||
| {%- set app_description=app_config.get('description', "") %} | |||||
| {%- set app_ports=app_config.get('ports') %} | |||||
| [{{ app_name }}] | |||||
| title={{ app_title }} | |||||
| description={{ app_description }} | |||||
| ports={{ app_ports }} | |||||
| {%- endfor %} |
+ 14
- 0
ufw/service/update.sls
View File
| # -*- coding: utf-8 -*- | |||||
| # vim: ft=sls | |||||
| {#- Get the `tplroot` from `tpldir` #} | |||||
| {%- set tplroot = tpldir.split('/')[0] %} | |||||
| {%- from tplroot ~ "/map.jinja" import ufw with context %} | |||||
| {%- if ufw.get('enabled', False) %} | |||||
| app-update-ufw: | |||||
| cmd.wait: # noqa: 213 | |||||
| - name: ufw app update all | |||||
| {%- endif %} |
Loading…