From 6bb52f2a1577ced8e17d9131338e62702cfe532b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 22 Oct 2023 19:54:10 +1100
Subject: [PATCH] feat: add firewalld management profile

- basic profile to enable/disable, and install/remove
- defaulting to enabled and installed, but set to disabled and removed
  in hiera
---
 hieradata/os/AlmaLinux/all_releases.yaml      |  3 ++
 site/profiles/manifests/base.pp               |  1 +
 site/profiles/manifests/firewall/firewalld.pp | 32 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 site/profiles/manifests/firewall/firewalld.pp

diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index beee352..230dbd0 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -2,3 +2,6 @@
 ---
 profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au
 profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au
+profiles::firewall::firewalld::ensure_package: 'absent'
+profiles::firewall::firewalld::ensure_service: 'stopped'
+profiles::firewall::firewalld::enable_service: false
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index e5831df..056d3e1 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -8,6 +8,7 @@ class profiles::base (
   case $facts['os']['family'] {
     'RedHat': {
       include profiles::yum::global
+      include profiles::firewall::firewalld
     }
     'Debian': {
       include profiles::apt::global
diff --git a/site/profiles/manifests/firewall/firewalld.pp b/site/profiles/manifests/firewall/firewalld.pp
new file mode 100644
index 0000000..eaafda7
--- /dev/null
+++ b/site/profiles/manifests/firewall/firewalld.pp
@@ -0,0 +1,32 @@
+# Manages the firewalld package and service on RedHat-like distributions.
+#
+# @param ensure_package Determines the state of the firewalld package.
+#   Can be set to 'absent' to remove the package or 'installed' to ensure it's present.
+#
+# @param ensure_service Determines the state of the firewalld service.
+#   Can be set to 'stopped' to stop the service or 'running' to ensure it's active.
+#
+# @param enable_service A boolean that specifies whether to enable or disable the firewalld service on boot.
+#
+class profiles::firewall::firewalld (
+  Enum['absent', 'installed'] $ensure_package = 'installed',
+  Enum['stopped', 'running'] $ensure_service = 'running',
+  Boolean $enable_service = true,
+) {
+  # Ensure it only runs on RedHat like distributions
+  if $facts['os']['family'] == 'RedHat' {
+
+    # Manage the firewalld package
+    package { 'firewalld':
+      ensure => $ensure_package,
+    }
+
+    # Manage the firewalld service
+    service { 'firewalld':
+      ensure     => $ensure_service,
+      enable     => $enable_service,
+      hasrestart => true,
+      require    => Package['firewalld'],
+    }
+  }
+}