Skip to content

Commit

Permalink
feat: allow the creation of application files for UFW in applications.d
Browse files Browse the repository at this point in the history
Instead of getting a limited set of files you can now control in the
pillar the creation of new applications and use them in the same state
file.
  • Loading branch information
ekacnet committed Dec 9, 2022
1 parent e9ba697 commit 01e436c
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pillar.example
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,16 @@ ufw:
Postgresql:
deny: true

RSPAMD-milter:
enabled: true

applications_files:
ufw-rspamd:
RSPAMD-milter:
title: Rspamd milter
description: Rspamd port for milter (mail filter) connection from STMP mail process
ports: 11332/tcp

# Allow all traffic in on the specified interface
interfaces:
eth1:
Expand Down
5 changes: 5 additions & 0 deletions ufw/config/applications.sls
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ include:
{%- set method = 'deny' if deny else ('limit' if limit else 'allow') %}
{%- set to_addr = app_details.get('to_addr', None) %}
{%- set comment = app_details.get('comment', None) %}
{%- set require = app_details.get('require', None) %}
{%- if from_addr is not none %}
ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}:
Expand All @@ -46,6 +47,10 @@ ufw-app-{{ method }}-{{ app_name }}:
{%- if comment is not none and salt['grains.get']('osfinger') != 'Debian-8' and salt['grains.get']('osfinger') != 'CentOS-6' %}
- comment: '"{{ comment }}"'
{%- endif %}
{%- if require %}
- require:
- file: ufw-file-app-{{ require }}
{%- endif %}
{%- if enabled %}
- listen_in:
- cmd: reload-ufw
Expand Down
15 changes: 15 additions & 0 deletions ufw/config/file.sls
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,25 @@ ufw-sysctl-file-file-managed:
- context:
ufw_sysctl: {{ ufw.sysctl | json }}
{% if ufw.get('applications_files') %}
{% for filename, config in ufw.get('applications_files').items() %}
ufw-file-app-{{ filename }}:
file.managed:
- name: /etc/ufw/applications.d/{{ filename }}
- user: root
- group: root
- mode: 644
- template: jinja
- source: salt://ufw/files/application.tmpl.jinja
- context:
config: {{ config | json }}
{% endfor %}
{% else %}
/etc/ufw/applications.d:
file.recurse:
- user: root
- group: root
- file_mode: 644
- clean: False
- source: salt://ufw/files/applications.d
{% endif %}
9 changes: 9 additions & 0 deletions ufw/files/application.tmpl.jinja
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{%- for app_name, app_config in config.items() %}
{%- set app_title=app_config.get('title', app_name) %}
{%- set app_description=app_config.get('description', "") %}
{%- set app_ports=app_config.get('ports') %}
[{{ app_name }}]
title={{ app_title }}
description={{ app_description }}
ports={{ app_ports }}
{%- endfor %}
14 changes: 14 additions & 0 deletions ufw/service/update.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# -*- coding: utf-8 -*-
# vim: ft=sls

{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import ufw with context %}
{%- if ufw.get('enabled', False) %}
app-update-ufw:
cmd.wait: # noqa: 213
- name: ufw app update all
{%- endif %}

0 comments on commit 01e436c

Please sign in to comment.