From af1c9ae59d5ebbe8a46d98466d99aa353a4b4a93 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Apr 2019 11:34:49 +0300 Subject: [PATCH] Do not force firewalld on people In most cases, there's not really a need to touch the system firewall, as Docker manages iptables by itself (see https://docs.docker.com/network/iptables/). All ports exposed by Docker containers are automatically whitelisted in iptables and wired to the correct container. This made installing firewalld and whitelisting ports pointless, as far as this playbook's services are concerned. People that wish to install firewalld (for other reasons), can do so manually from now on. This is inspired by and fixes #97 (Github Issue). --- roles/matrix-base/tasks/setup_server_base.yml | 8 -------- roles/matrix-coturn/tasks/setup_coturn.yml | 14 -------------- .../matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 11 ----------- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 11 ----------- roles/matrix-synapse/tasks/setup_synapse_main.yml | 9 --------- 5 files changed, 53 deletions(-) diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index 5a41bd731..f4a8352f2 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -23,7 +23,6 @@ - bash-completion - docker-ce - docker-python - - firewalld - ntp - fuse state: latest @@ -67,13 +66,6 @@ update_cache: yes when: ansible_os_family == 'Debian' -- name: Ensure firewalld is started and autoruns - service: - name: firewalld - state: started - enabled: yes - when: ansible_os_family == 'RedHat' - - name: Ensure Docker is started and autoruns service: name: docker diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 619ed3780..9f79f4c82 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -54,20 +54,6 @@ daemon_reload: yes when: "matrix_coturn_enabled and matrix_coturn_systemd_service_result.changed" -- name: Allow access to Coturn ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '3478/tcp' - - '3478/udp' - - '5349/tcp' - - '5349/udp' - - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN - when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'" - # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). # Reloading doesn't hurt anyway, so there's no need to make this more flexible. diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index c0188a4e1..9f8345605 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -99,17 +99,6 @@ name: "{{ matrix_nginx_proxy_docker_image }}" when: matrix_nginx_proxy_enabled -- name: Allow access to nginx proxy ports in firewalld - firewalld: - service: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - "http" - - "https" - when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'" - - name: Ensure matrix-nginx-proxy.service installed template: src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 16f7c2fe1..e4613ed78 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -33,17 +33,6 @@ - "{{ matrix_ssl_lets_encrypt_support_email }}" when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none" -- name: Allow access to HTTP/HTTPS in firewalld - firewalld: - service: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - http - - https - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'" - - name: Ensure certbot Docker image is pulled docker_image: name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index e2d7baea3..388e28ce8 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -77,12 +77,3 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 -- name: Allow access to Matrix ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '8448/tcp' # Matrix federation - when: ansible_os_family == 'RedHat'