Merge branch '3-implement-opnsense-support' into 'master'

Resolve "Implement OPNsense support" Closes #3 See merge request muni-kypo-crp/backend-python/ansible-networking-stage/kypo-interface!2

Merge branch '3-implement-opnsense-support' into 'master'
4167766c · Michal Urban · 2f128c1d · 6b621bc1 · 4167766c · 4167766c
Commit 4167766c authored 2 years ago by Michal Urban
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -20,3 +20,5 @@ kypo_interface_interfaces: []
 kypo_interface_required_variables:
    kypo_interface_interfaces: '{{ kypo_interface_interfaces }}'

+kypo_interface_opnsense_config_file: /conf/config.xml
+kypo_interface_opnsense_local_config_file: '/tmp/config-{{ inventory_hostname }}'
--- a/tasks/Debian.yml
+++ b/tasks/Debian.yml
+
+- name: clean interfaces configuration
+  when: kypo_interface_clean is defined and kypo_interface_clean
+  block:
+   - name: find all interfaces configuration files
+     find:
+         paths:
+             - '{{ kypo_interface_directory }}'
+     register: kypo_interface_extra_files
+
+   - set_fact:
+         kypo_interface_config_files: '{{ (kypo_interface_extra_files.files | map(attribute="path") | list) + [kypo_interface_default_file] }}'
+
+   - include_tasks: 'clean-Debian.yml'
+     vars:
+       kypo_interface_device: '{{ kypo_interface_item.kypo_interface_device }}'
+     loop_control:
+       loop_var: kypo_interface_item
+     loop: '{{ kypo_interface_interfaces }}'
+
+   - name: remove multiple consecutive new line characters
+     replace:
+         path: '{{ item }}'
+         regexp: '(\n)+'
+         replace: '\n'
+     with_items: '{{ kypo_interface_config_files }}'
+
+- name: configure interfaces
+  blockinfile:
+      path: '{{ kypo_interface_file }}'
+      create: yes
+      marker: '# {mark} {{ item.kypo_interface_device }}'
+      block: |
+          allow-hotplug {{ item.kypo_interface_device }}
+          auto {{ item.kypo_interface_device }}
+          iface {{ item.kypo_interface_device }} inet dhcp
+              mtu {{ kypo_interface_mtu }}
+              {% if item.kypo_interface_default_gateway is defined and item.kypo_interface_default_gateway -%}
+              gateway {{ item.kypo_interface_default_gateway }}
+              up route add default gw {{ item.kypo_interface_default_gateway }}
+              {% endif -%}
+              {% if item.kypo_interface_routes is defined and item.kypo_interface_routes -%}
+              {% for route in item.kypo_interface_routes -%}
+              post-up ip route add {{ route['network'] }}/{{ route['mask'] }} via {{ route['gateway'] }}
+              pre-down ip route del {{ route['network'] }}/{{ route['mask'] }} via {{ route['gateway'] }}
+              {% endfor %}
+              {% endif %}
+  notify: kypo_interface_networking_restart
+  loop: '{{ kypo_interface_interfaces }}'
--- a/tasks/FreeBSD.yml
+++ b/tasks/FreeBSD.yml
+
+- include_tasks: check-OPNsense.yml
+
+- name: clean interfaces configuration
+  xml:
+    path: '{{ kypo_interface_opnsense_local_config_file }}'
+    xpath: '/opnsense/interfaces/*[if and if[text()="{{ item.kypo_interface_device }}"]]'
+    state: absent
+  delegate_to: localhost
+  loop: '{{ kypo_interface_interfaces }}'
+  when: kypo_interface_clean is defined and kypo_interface_clean
+
+- name: configure interfaces
+  include_tasks: interface-FreeBSD.yml
+  vars:
+    kypo_interface_device: '{{ kypo_interface_item.kypo_interface_device }}'
+  loop_control:
+    loop_var: kypo_interface_item
+  loop: '{{ kypo_interface_interfaces }}'
+
+- name: get default gateway
+  set_fact:
+    kypo_interface_default_gateway: '{{ kypo_interface_interfaces | selectattr("kypo_interface_default_gateway", "defined") | first }}'
+
+- name: prepare variables with configuration
+  set_fact:
+    default_gateway:
+      interface: '{{ kypo_interface_default_gateway.kypo_interface_device }}'
+      gateway: '{{ kypo_interface_default_gateway.kypo_interface_default_gateway }}'
+      name: WAN
+      ipprotocol: inet
+      priority: 1
+      weight: 1
+      monitor_disable: 1
+    firewall_rule:
+      type: pass
+      interface: '{{ kypo_interface_interfaces | map(attribute="kypo_interface_device") | join(",") }}'
+      ipprotocol: inet
+      descr: Allow everything
+      direction: any
+      source/any: 1
+      destination/any: 1
+      statetype: keep state
+      quick: 1
+      floating: 'yes'
+
+- name: configure gateway
+  xml:
+    path: '{{ kypo_interface_opnsense_local_config_file }}'
+    xpath: '/opnsense/gateways/gateway_item[name[text()="{{ default_gateway.name }}"]]/{{ item.key }}'
+    pretty_print: yes
+    value: '{{ item.value }}'
+  loop: '{{ default_gateway | dict2items }}'
+  delegate_to: localhost
+
+- name: add firewall rule
+  xml:
+    path: '{{ kypo_interface_opnsense_local_config_file }}'
+    xpath: '/opnsense/filter/rule[descr[text()="{{ firewall_rule.descr }}"]]/{{ item.key }}'
+    pretty_print: yes
+    value: '{{ item.value }}'
+  loop: '{{ firewall_rule | dict2items }}'
+  delegate_to: localhost
+
+- name: copy the modified configuration to machine
+  copy:
+    src: '{{ kypo_interface_opnsense_local_config_file }}'
+    dest: '{{ kypo_interface_opnsense_config_file }}'
+  register: configuration_copy
+
+- name: reboot
+  reboot:
+  when: configuration_copy is changed
--- a/tasks/check-OPNsense.yml
+++ b/tasks/check-OPNsense.yml
+
+- name: stat OPNsense config file
+  stat:
+    path: '{{ kypo_interface_opnsense_config_file }}'
+  register: opnsense_config_stat
+
+- name: check if config file exists
+  fail:
+    msg: "/conf/config.xml not found, only OPNsense is supported out of FreeBSD systems"
+  when: not opnsense_config_stat.stat.exists
+
+- name: fetch config file
+  fetch:
+    src: '{{ kypo_interface_opnsense_config_file }}'
+    dest: '{{ kypo_interface_opnsense_local_config_file }}'
+    flat: yes
+
+- name: install lxml on controller
+  pip:
+    name: lxml
+  delegate_to: localhost
+
+- name: check config file contains opnsense xml root
+  xml:
+    path: '{{ kypo_interface_opnsense_local_config_file }}'
+    xpath: /opnsense
+    content: attribute
+  delegate_to: localhost
+  register: opnsense_config_root
+
+- name: assert if OPNsense
+  fail:
+    msg: "Only OPNsense is supported out of FreeBSD systems"
+  when: opnsense_config_root.matches | length != 1
--- a/tasks/clean.yml
+++ b/tasks/clean.yml

- name: find all interfaces configuration files
-  find:
-      paths:
-          - '{{ kypo_interface_directory }}'
-  register: kypo_interface_extra_files
-
- set_fact:
-      kypo_interface_config_files: '{{ (kypo_interface_extra_files.files | map(attribute="path") | list) + [kypo_interface_default_file] }}'
-
 - name: remove old iface settings for retrieved interface name
  replace:
      path: '{{ item }}'
@@ -21,11 +12,3 @@
      regexp: '^.*(?<=\s){{ kypo_interface_device }}(?=\s).*$'
  notify: kypo_interface_networking_restart
  with_items: '{{ kypo_interface_config_files }}'
-
- name: remove multiple consecutive new line characters
-  replace:
-      path: '{{ item }}'
-      regexp: '(\n)+'
-      replace: '\n'
-  with_items: '{{ kypo_interface_config_files }}'
-
--- a/tasks/interface-FreeBSD.yml
+++ b/tasks/interface-FreeBSD.yml
+- name: prepare interface configuration
+  set_fact:
+    kypo_interface_config:
+      if: '{{ kypo_interface_device }}'
+      ipaddr: dhcp
+      mtu: '{{ kypo_interface_mtu }}'
+      enable: 1
+
+- name: configure interface
+  xml:
+    path: '{{ kypo_interface_opnsense_local_config_file }}'
+    xpath: '/opnsense/interfaces/{{ kypo_interface_device }}/{{ item.key }}'
+    value: '{{ item.value }}'
+    pretty_print: yes
+  delegate_to: localhost
+  loop: '{{ kypo_interface_config | dict2items }}'
--- a/tasks/interface.yml
+++ b/tasks/interface.yml
-
- name: configure interface
-  blockinfile:
-      path: '{{ kypo_interface_file }}'
-      create: yes
-      marker: '# {mark} {{ kypo_interface_device }}'
-      block: |
-          allow-hotplug {{ kypo_interface_device }}
-          auto {{ kypo_interface_device }}
-          iface {{ kypo_interface_device }} inet dhcp
-              mtu {{ kypo_interface_mtu }}
-              {% if kypo_interface_default_gateway -%}
-              gateway {{ kypo_interface_default_gateway }}
-              up route add default gw {{ kypo_interface_default_gateway }}
-              {% endif -%}
-              {% if kypo_interface_routes -%}
-              {% for route in kypo_interface_routes -%}
-              post-up ip route add {{ route['network'] }}/{{ route['mask'] }} via {{ route['gateway'] }}
-              pre-down ip route del {{ route['network'] }}/{{ route['mask'] }} via {{ route['gateway'] }}
-              {% endfor %}
-              {% endif %}
-  notify: kypo_interface_networking_restart
-
--- a/tasks/main-interface.yml
+++ b/tasks/main-interface.yml
-
- name: check existence of required variables
-  fail:
-      msg: kypo_interface_mac is not defined
-  when: not kypo_interface_mac
-
- set_fact:
-      kypo_interface_device: '{%- from "roles/kypo-common/templates/network.j2" import mac_to_interface with context -%}
-                         {{ mac_to_interface(kypo_interface_mac) | default("") }}'
-
- include: clean.yml
-  when: kypo_interface_clean is defined and kypo_interface_clean
-
- include: interface.yml
-
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,12 +5,11 @@
  when: item.value is undefined or not item.value
  with_dict: '{{ kypo_interface_required_variables }}'

- include: main-interface.yml
-  loop_control:
-      loop_var: kypo_interface_interface
-  vars:
-      kypo_interface_default_gateway: '{{ kypo_interface_interface.kypo_interface_default_gateway | default() }}'
-      kypo_interface_routes: '{{ kypo_interface_interface.kypo_interface_routes | default([]) }}'
-      kypo_interface_mac: '{{ kypo_interface_interface.kypo_interface_mac | default() }}'
-  with_items: '{{ kypo_interface_interfaces }}'
+- name: check existence of required variables
+  fail:
+      msg: kypo_interface_interfaces has an item with undefined kypo_interface_mac or kypo_interface_device
+  when: |
+    (kypo_interface_interfaces | rejectattr('kypo_interface_mac', 'defined') | length > 0) or
+    (kypo_interface_interfaces | rejectattr('kypo_interface_device', 'defined') | length > 0)

+- include_tasks: '{{ ansible_facts.os_family }}.yml'