diff --git a/firewalld/_config.sls b/firewalld/_config.sls deleted file mode 100644 index 86ff910..0000000 --- a/firewalld/_config.sls +++ /dev/null @@ -1,29 +0,0 @@ -# == State: firewalld._config -# -# This state configures firewalld. -# - -/etc/firewalld/: - file.directory: # make sure this is a directory - - user: root - - group: root - - mode: 750 - - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service - -/etc/firewalld/firewalld.conf: - file: - - managed - - name: /etc/firewalld/firewalld.conf - - user: root - - group: root - - mode: 640 - - source: salt://firewalld/files/firewalld.conf - - template: jinja - - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service - diff --git a/firewalld/config.sls b/firewalld/config.sls new file mode 100644 index 0000000..1a8b5e6 --- /dev/null +++ b/firewalld/config.sls @@ -0,0 +1,31 @@ +# == State: firewalld._config +# +# This state configures firewalld. +# +{% from "firewalld/map.jinja" import firewalld with context %} + +directory_firewalld: + file.directory: # make sure this is a directory + - name: /etc/firewalld + - user: root + - group: root + - mode: 750 + - require: + - pkg: package_firewalld # make sure package is installed + - listen_in: + - service: service_firewalld # restart service + +config_firewalld: + file.managed: + - name: /etc/firewalld/firewalld.conf + - user: root + - group: root + - mode: 640 + - source: salt://firewalld/files/firewalld.conf + - template: jinja + - require: + - pkg: package_firewalld # make sure package is installed + - file: directory_firewalld + - listen_in: + - service: service_firewalld # restart service + diff --git a/firewalld/defaults.yaml b/firewalld/defaults.yaml new file mode 100644 index 0000000..ac2f830 --- /dev/null +++ b/firewalld/defaults.yaml @@ -0,0 +1,6 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +firewalld: + package: firewalld + service: firewalld + config: /etc/firewalld.conf diff --git a/firewalld/init.sls b/firewalld/init.sls index c59d059..9f9ff0c 100644 --- a/firewalld/init.sls +++ b/firewalld/init.sls @@ -3,39 +3,39 @@ # # This state installs/runs firewalld. # - +{% from "firewalld/map.jinja" import firewalld with context %} {% if salt['pillar.get']('firewalld:enabled') %} include: - - firewalld._config - - firewalld._service - - firewalld._zone + - firewalld.config + - firewalld.services + - firewalld.zones # iptables service that comes with rhel/centos iptables: - service: - - disabled + service.disabled: - enable: False ip6tables: - service: - - disabled + service.disabled: - enable: False -firewalld: - pkg: - - installed - service: - - running # ensure it's running +package_firewalld: + pkg.installed: + - name: {{ firewalld.package }} + +service_firewalld: + service.running: + - name: {{ firewalld.service }} - enable: True # start on boot - require: - - pkg: firewalld - - file: /etc/firewalld/firewalld.conf # require this file - - service: iptables # ensure it's stopped - - service: ip6tables # ensure it's stopped + - pkg: package_firewalld + - file: config_firewalld + - service: iptables # ensure it's stopped + - service: ip6tables # ensure it's stopped {% else %} -firewalld: - service: - - dead # ensure it's not running - - enable: False # don't start on boot -{% endif %} \ No newline at end of file +service_firewalld: + service.dead: + - name: {{ firewalld.service }} + - enable: False # don't start on boot +{% endif %} diff --git a/firewalld/map.jinja b/firewalld/map.jinja new file mode 100644 index 0000000..a9cb55c --- /dev/null +++ b/firewalld/map.jinja @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# vim: ft=jinja + +{## Start with defaults from defaults.yaml ##} +{% import_yaml "firewalld/defaults.yaml" as default_settings %} + +{## +Setup variable using grains['os_family'] based logic, only add key:values here +that differ from whats in defaults.yaml +##} +{% set os_family_map = salt['grains.filter_by']({ + 'Debian': {}, + 'RedHat': {}, + 'Arch': {}, + }, grain='os_family', merge=salt['pillar.get']('firewalld:lookup')) +%} + +{## Merge the flavor_map to the default settings ##} +{% do default_settings.firewalld.update(os_family_map) %} + +{## Merge in salt:lookup pillar ##} +{% set firewalld = salt['pillar.get']( + 'firewalld', + default=default_settings.firewalld, + merge=True) +%} diff --git a/firewalld/_service.sls b/firewalld/services.sls similarity index 60% rename from firewalld/_service.sls rename to firewalld/services.sls index 8f97906..68f462d 100644 --- a/firewalld/_service.sls +++ b/firewalld/services.sls @@ -1,19 +1,22 @@ -# == State: firewalld._service +# == State: firewalld.services # # This state ensures that /etc/firewalld/services/ exists. # -/etc/firewalld/services: +{% from "firewalld/map.jinja" import firewalld with context %} + +directory_firewalld_services: file.directory: # make sure this is a directory + - name: /etc/firewalld/services - user: root - group: root - mode: 750 - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service + - pkg: package_firewalld # make sure package is installed + - listen_in: + - service: service_firewalld # restart service -# == Define: firewalld._service +# == Define: firewalld.services # # This defines a service configuration, see firewalld.service (5) man page. # You usually don't need this, you can simply add ports to zone. @@ -31,9 +34,10 @@ - source: salt://firewalld/files/service.xml - template: jinja - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service + - pkg: package_firewalld # make sure package is installed + - file: directory_firewalld_services + - listen_in: + - service: service_firewalld # restart service - context: name: {{ s_name }} service: {{ v }} diff --git a/firewalld/_zone.sls b/firewalld/zones.sls similarity index 57% rename from firewalld/_zone.sls rename to firewalld/zones.sls index fa1097b..67cf1cb 100644 --- a/firewalld/_zone.sls +++ b/firewalld/zones.sls @@ -1,19 +1,22 @@ -# == State: firewalld._zone +# == State: firewalld.zones # # This state ensures that /etc/firewalld/zones/ exists. # -/etc/firewalld/zones: +{% from "firewalld/map.jinja" import firewalld with context %} + +directory_firewalld_zones: file.directory: # make sure this is a directory + - name: /etc/firewalld/zones - user: root - group: root - mode: 750 - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service + - pkg: package_firewalld # make sure package is installed + - listen_in: + - service: service_firewalld # restart service -# == Define: firewalld._zone +# == Define: firewalld.zones # # This defines a zone configuration, see firewalld.zone (5) man page. # @@ -21,8 +24,7 @@ {% set z_name = v.name|default(k) %} /etc/firewalld/zones/{{ z_name }}.xml: - file: - - managed + file.managed: - name: /etc/firewalld/zones/{{ z_name }}.xml - user: root - group: root @@ -30,9 +32,10 @@ - source: salt://firewalld/files/zone.xml - template: jinja - require: - - pkg: firewalld # make sure package is installed - - watch_in: - - service: firewalld # restart service + - pkg: package_firewalld # make sure package is installed + - file: directory_firewalld_zones + - listen_in: + - service: service_firewalld # restart service - context: name: {{ z_name }} zone: {{ v }}