feat: add enable/disable flag to firewall::init

2024-11-16 11:49:56 +11:00 · 2024-11-16 11:49:56 +11:00 · 90ce015d43
commit 90ce015d43
parent b9465cd78b
2 changed files with 21 additions and 17 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -351,6 +351,7 @@ profiles::ceph::client::mons:
 #      - prodinf01n22
 #      - repos.main.unkin.net

+firewall::enable: true
 firewall::ipset_queries:
  certbot: "enc_role=roles::infra::pki::certbot"
  cobbler: "enc_role=roles::infra::cobbler::server"
--- a/modules/firewall/manifests/init.pp
+++ b/modules/firewall/manifests/init.pp
@ -1,26 +1,29 @@
 # manage the firewall
 class firewall (
+  Boolean $enable = false,
  Hash $ipset_queries = {},
 ){

-  $ipset_queries.each |$ipset, $query| {
-    $ips = sort(query_nodes($query, 'networking.ip'))
+  if $enable {
+    $ipset_queries.each |$ipset, $query| {
+      $ips = sort(query_nodes($query, 'networking.ip'))

-    nftables::set{$ipset:
-      type     => 'ipv4_addr',
-      flags    => ['dynamic'],
-      elements => $ips,
+      nftables::set{$ipset:
+        type     => 'ipv4_addr',
+        flags    => ['dynamic'],
+        elements => $ips,
+      }
+    }
+
+    class {'nftables':
+      in_ssh    => false,
+      in_icmp   => true,
+      out_ntp   => false,
+      out_dns   => false,
+      out_http  => false,
+      out_https => false,
+      out_icmp  => true,
+      out_all   => false,
    }
  }
-
-  class {'nftables':
-    in_ssh    => false,
-    in_icmp   => true,
-    out_ntp   => false,
-    out_dns   => false,
-    out_http  => false,
-    out_https => false,
-    out_icmp  => true,
-    out_all   => false,
-  }
 }