While try to describe my server in Ansible I really like the idea to form firewall rules so to enable only ports/protos that are used on host/host groups.
Imagine I have a linux based firewall box and webserver, mysql server and openvpn box behind it. As I set up webserver I apply some roles on it (http/https, ntp etc), and I'd like to add reqired ports/protos to firewall box iptables definition. And if later I disable ntp then I'd like to disable ntp-related lines in iptables for this box.
The idea is to have firewall setup connected to enabled services on boxes behind the firewall.
So the question is: is it possible to do that nice and elegant?
Best Answer
I almost always build my own roles for deploying services, and I generally put the firewall rules for those services directly in the role.
Here is an example, for nginx:
In
roles/nginx/tasks/firewall.yml
:In
roles/nginx/defaults/main.yml
: