diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index a73e2c6..d13c4a6 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -4,3 +4,6 @@ zfs_snapshot_datasets: sshd_enabled: true sshd_conf: "sshd_config" pf_config: "homeserver_pf.conf" +pflog_conf: + - name: 0 + dev: pflog0 diff --git a/ansible/roles/firewall/defaults/main.yaml b/ansible/roles/firewall/defaults/main.yaml new file mode 100644 index 0000000..2f0ece9 --- /dev/null +++ b/ansible/roles/firewall/defaults/main.yaml @@ -0,0 +1 @@ +pflog_conf: [] diff --git a/ansible/roles/firewall/handlers/main.yaml b/ansible/roles/firewall/handlers/main.yaml index d45cae6..2ec1a42 100644 --- a/ansible/roles/firewall/handlers/main.yaml +++ b/ansible/roles/firewall/handlers/main.yaml @@ -3,3 +3,14 @@ service: name: pf state: reloaded + +- name: restart pflog + when: is_pf_running.rc == 0 + service: + name: pflog + state: restarted + +- name: stop pflog + service: + name: pflog + state: stopped diff --git a/ansible/roles/firewall/tasks/freebsd.yaml b/ansible/roles/firewall/tasks/freebsd.yaml index 412da5d..24406a4 100644 --- a/ansible/roles/firewall/tasks/freebsd.yaml +++ b/ansible/roles/firewall/tasks/freebsd.yaml @@ -27,3 +27,43 @@ register: is_pf_running failed_when: is_pf_running.rc != 0 ignore_errors: true + +- name: Enable pflog + notify: restart pflog + community.general.sysrc: + name: pflog_enable + value: "YES" + path: /etc/rc.conf.d/pflog + when: pflog_conf|length > 0 + +- name: Disable pflog + notify: stop pflog + community.general.sysrc: + name: pflog_enable + value: "NO" + path: /etc/rc.conf.d/pflog + when: pflog_conf|length == 0 + +- name: Set pflog instances + notify: restart pflog + community.general.sysrc: + name: pflog_instances + value: "{{ pflog_conf|community.general.json_query('[].name')|join(' ') }}" + path: /etc/rc.conf.d/pflog + when: pflog_conf|length > 0 + +- name: Remove pflog instances + notify: stop pflog + community.general.sysrc: + name: jail_list + state: absent + path: /etc/rc.conf.d/pflog + when: pflog_conf|length == 0 + +- name: Set pflog device names + notify: restart pflog + community.general.sysrc: + name: "pflog_{{item.name}}_dev" + value: "{{ item.dev }}" + path: /etc/rc.conf.d/pflog + loop: "{{ pflog_conf }}"