Add code to conditionally add HTTPS inbound allow firewall rule.

roots · Jul 29, 2024 · 7aafbfe · 7aafbfe
1 parent ab4226b
commit 7aafbfe
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml
@@ -2,7 +2,7 @@
 
 ferm_input_list:
   - type: dport_accept
-    dport: [http, https]
+    dport: [http]
     filename: nginx_accept
   - type: dport_accept
     dport: [ssh]

diff --git a/roles/ferm/defaults/main.yml b/roles/ferm/defaults/main.yml
@@ -11,3 +11,5 @@ ferm_default_policy_forward: DROP
 ferm_input_list: []
 ferm_input_group_list: []
 ferm_input_host_list: []
+
+sites_using_ssl: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled %}'{{ name }}',{% endfor %}]"
diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml
@@ -24,6 +24,16 @@
     - /etc/ferm/ferm.d
     - /etc/ferm/filter-input.d
 
+- name: allow inbound HTTPS
+  set_fact:
+    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_https] }}"
+  when: sites_using_ssl | count
+  vars:
+    ferm_dport_nginx_https:
+      type: dport_accept
+      dport: [https]
+      filename: nginx_accept_https
+
 - name: ensure firewall is configured
   template:
     src: "{{ item }}.j2"