From 08f1aa211ba740fa6bb4b6c6de5bc77feb651570 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Sat, 16 Sep 2023 13:36:12 +0200
Subject: [PATCH] Add finer firewall control

---
 personal_infra/playbooks/roles/deploy_ragent/tasks/main.yml | 4 ++--
 personal_infra/puppet/modules/tinc/manifests/init.pp        | 4 ++--
 personal_infra/puppet/site/01-tinc.pp                       | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/personal_infra/playbooks/roles/deploy_ragent/tasks/main.yml b/personal_infra/playbooks/roles/deploy_ragent/tasks/main.yml
index 4df4cc0..38cacab 100644
--- a/personal_infra/playbooks/roles/deploy_ragent/tasks/main.yml
+++ b/personal_infra/playbooks/roles/deploy_ragent/tasks/main.yml
@@ -33,10 +33,10 @@
     state: restarted
 - name: open firewall
   command: firewall-cmd --permanent --add-port=21488/tcp
-  when: ansible_os_family == "RedHat" and ansible_distribution_major_version in ("7", "8", "9") and ansible_virtualization_type != "lxc"
+  when: ansible_os_family == "RedHat" and ansible_distribution_major_version in ("7", "8", "9") and ansible_virtualization_type != "lxc" and not network.disable_firewall
 - name: reload firewall
   command: firewall-cmd --reload
-  when: ansible_os_family == "RedHat" and ansible_distribution_major_version in ("7", "8", "9") and ansible_virtualization_type != "lxc"
+  when: ansible_os_family == "RedHat" and ansible_distribution_major_version in ("7", "8", "9") and ansible_virtualization_type != "lxc" and not network.disable_firewall
 - name: force check
   community.general.nagios:
     action: forced_check
diff --git a/personal_infra/puppet/modules/tinc/manifests/init.pp b/personal_infra/puppet/modules/tinc/manifests/init.pp
index be37330..581593a 100644
--- a/personal_infra/puppet/modules/tinc/manifests/init.pp
+++ b/personal_infra/puppet/modules/tinc/manifests/init.pp
@@ -1,4 +1,4 @@
-class tinc($tinc_name, $tinc_location, $tinc_connect_to, $tinc_locations, $tinc_ip, $tinc_netmask, $tinc_other_networks) {
+class tinc($tinc_name, $tinc_location, $tinc_connect_to, $tinc_locations, $tinc_ip, $tinc_netmask, $tinc_other_networks, $firewall = true) {
   # https://bugzilla.redhat.com/show_bug.cgi?id=2153663
   if($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '9') {
     copr {'tinc':
@@ -71,7 +71,7 @@ cat /etc/ansible/tinc/public_${location['address']}.pem >>/etc/tinc/${tinc_name}
     notify => Service["tinc@${tinc_name}"],
   }
 
-  if ($facts['os']['family'] == 'RedHat') {
+  if ($facts['os']['family'] == 'RedHat' and $firewall) {
     exec {'open firewall for tinc':
       command => '/usr/bin/firewall-cmd --permanent --add-port=655/{tcp,udp}',
       unless => '/usr/bin/firewall-cmd --query-port=655/udp',
diff --git a/personal_infra/puppet/site/01-tinc.pp b/personal_infra/puppet/site/01-tinc.pp
index 148e598..7228a87 100644
--- a/personal_infra/puppet/site/01-tinc.pp
+++ b/personal_infra/puppet/site/01-tinc.pp
@@ -22,5 +22,6 @@ if 'tinc' in lookup("group_names") {
     tinc_ip             => lookup("network.self_internal_ip"),
     tinc_netmask        => lookup("network.self_internal_netmask"),
     tinc_other_networks => $tinc_other_networks,
+    firewall            => !lookup("network.disable_firewall"),
   }
 }
-- 
2.47.3