feat: allow the creation of application files for UFW in applications.d

pillar.example

@@ -112,6 +112,16 @@ ufw:
     Postgresql:
       deny: true
 
+    RSPAMD-milter:
+      enabled: true
+
+  applications_files:
+    ufw-rspamd:
+      RSPAMD-milter:
+        title: Rspamd milter
+        description: Rspamd port for milter (mail filter) connection from STMP mail process
+        ports: 11332/tcp
+
   # Allow all traffic in on the specified interface
   interfaces:
     eth1:

ufw/config/applications.sls

@@ -27,6 +27,7 @@ include:
     {%- set method  = 'deny' if deny else ('limit' if limit else 'allow') %}
     {%- set to_addr = app_details.get('to_addr', None) %}
     {%- set comment = app_details.get('comment', None) %}
+    {%- set require = app_details.get('require', None) %}
 
 {%- if from_addr is not none %}
 ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}:
@@ -46,6 +47,10 @@ ufw-app-{{ method }}-{{ app_name }}:
     {%- if comment is not none and salt['grains.get']('osfinger') != 'Debian-8' and salt['grains.get']('osfinger') != 'CentOS-6' %}
     - comment: '"{{ comment }}"'
     {%- endif %}
+    {%- if require %}
+    - require:
+      - file: ufw-file-app-{{ require }}
+    {%- endif %}
     {%- if enabled %}
     - listen_in:
       - cmd: reload-ufw

ufw/config/file.sls

@@ -40,10 +40,25 @@ ufw-sysctl-file-file-managed:
     - context:
         ufw_sysctl: {{ ufw.sysctl | json }}
 
+{% if ufw.get('applications_files') %}
+{% for filename, config in ufw.get('applications_files').items() %}
+ufw-file-app-{{ filename }}:
+  file.managed:
+    - name: /etc/ufw/applications.d/{{ filename }}
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - source: salt://ufw/files/application.tmpl.jinja
+    - context:
+        config: {{ config | json }}
+{% endfor %}
+{% else %}
 /etc/ufw/applications.d:
   file.recurse:
     - user: root
     - group: root
     - file_mode: 644
     - clean: False
     - source: salt://ufw/files/applications.d
+{% endif %}

ufw/files/application.tmpl.jinja

@@ -0,0 +1,9 @@
+{%- for app_name, app_config in config.items() %}
+{%- set app_title=app_config.get('title', app_name) %}
+{%- set app_description=app_config.get('description', "") %}
+{%- set app_ports=app_config.get('ports') %}
+[{{ app_name }}]
+title={{ app_title }}
+description={{ app_description }}
+ports={{ app_ports }}
+{%- endfor %}

ufw/service/update.sls

@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+
+{%- if ufw.get('enabled', False) %}
+
+app-update-ufw:
+  cmd.wait:  # noqa: 213
+    - name: ufw app update all
+
+{%- endif %}