From a0ee0fd90d3712ae2bdd10f65e2631f0bff08342 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Sun, 24 Nov 2019 20:53:54 +0100
Subject: [PATCH] Add firewalld rules to service roles.

---
 roles/krb5-kdc-ldap/tasks/main.yml           | 24 ++++++++++++++++++++
 roles/ldap/tasks/main.yml                    | 17 ++++++++++++--
 roles/nfs-server/tasks/main.yml              | 16 +++++++++++++
 roles/two-interface-firewalld/tasks/main.yml |  7 +++++-
 4 files changed, 61 insertions(+), 3 deletions(-)

diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index 5252dc1..fc27565 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -177,3 +177,27 @@
   changed_when: kerberize_result.stderr is not search('already exists while creating')
   no_log: true
   when: foo_pwd is defined and foo_pwd | length > 0
+
+#############################
+
+- name: allow services in firewalld
+  firewalld:
+    zone: internal
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+  with_items:
+    - kerberos
+    - kadmin
+    - kpasswd
+  when: not run_in_installer|default(false)|bool
+
+## Use firewall-offline-cmd when run during installation:
+
+- name: allow services in firewalld
+  command: >-
+    firewall-offline-cmd --zone=internal
+    --add-service=kerberos
+    --add-service=kadmin
+    --add-service=kpasswd
+  when: run_in_installer|default(false)|bool
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 6f290d3..c8564d4 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -116,5 +116,18 @@
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
-## ldapaddgroup tom
-## ldapadduser tom tom
+#############################
+
+- name: allow ldap service in firewalld
+  firewalld:
+    zone: internal
+    service: ldap
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+## Use firewall-offline-cmd when run during installation:
+
+- name: allow ldap service in firewalld 
+  command: "firewall-offline-cmd --zone=internal --add-service=ldap"
+  when: run_in_installer|default(false)|bool
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 31c9036..2f5448f 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -75,3 +75,19 @@
     dest: /etc/dnsmasq.d/dhcp-send-domain
   notify: "restart dnsmasq"
   when: dnsmasq.stat.exists
+
+#############################
+
+- name: allow nfs service in firewalld
+  firewalld:
+    zone: internal
+    service: nfs
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+## Use firewall-offline-cmd when run during installation:
+
+- name: allow nfs service in firewalld
+  command: "firewall-offline-cmd --zone=internal --add-service=nfs"
+  when: run_in_installer|default(false)|bool
diff --git a/roles/two-interface-firewalld/tasks/main.yml b/roles/two-interface-firewalld/tasks/main.yml
index 4df3564..dd5a05e 100644
--- a/roles/two-interface-firewalld/tasks/main.yml
+++ b/roles/two-interface-firewalld/tasks/main.yml
@@ -65,5 +65,10 @@
   when: run_in_installer|default(false)|bool
 
 - name: enable services
-  command: "firewall-offline-cmd --zone=internal --add-service=dhcp --add-service=dns --add-service=tftp --add-service=git"
+  command: >-
+    firewall-offline-cmd --zone=internal
+    --add-service=dhcp
+    --add-service=dns
+    --add-service=tftp
+    --add-service=git
   when: run_in_installer|default(false)|bool