Do not force firewalld on people

In most cases, there's not really a need to touch the system firewall, as Docker manages iptables by itself (see https://docs.docker.com/network/iptables/). All ports exposed by Docker containers are automatically whitelisted in iptables and wired to the correct container. This made installing firewalld and whitelisting ports pointless, as far as this playbook's services are concerned. People that wish to install firewalld (for other reasons), can do so manually from now on. This is inspired by and fixes #97 (Github Issue).
7 年前 · af1c9ae59d
--- a/roles/matrix-base/tasks/setup_server_base.yml
+++ b/roles/matrix-base/tasks/setup_server_base.yml
@@ -23,7 +23,6 @@
      - bash-completion
      - docker-ce
      - docker-python
      - firewalld
      - ntp
      - fuse
    state: latest
@@ -67,13 +66,6 @@
    update_cache: yes
  when: ansible_os_family == 'Debian'

 - name: Ensure firewalld is started and autoruns
  service:
    name: firewalld
    state: started
    enabled: yes
  when: ansible_os_family == 'RedHat'

 - name: Ensure Docker is started and autoruns
  service:
    name: docker 
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@@ -54,20 +54,6 @@
    daemon_reload: yes
  when: "matrix_coturn_enabled and matrix_coturn_systemd_service_result.changed"

 - name: Allow access to Coturn ports in firewalld
  firewalld:
    port: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - '3478/tcp'
    - '3478/udp'
    - '5349/tcp'
    - '5349/udp'
    - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
  when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"

 # This may be unnecessary when more long-lived certificates are used.
 # We optimize for the common use-case though (short-lived Let's Encrypt certificates).
 # Reloading doesn't hurt anyway, so there's no need to make this more flexible.
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -99,17 +99,6 @@
    name: "{{ matrix_nginx_proxy_docker_image }}"
  when: matrix_nginx_proxy_enabled

 - name: Allow access to nginx proxy ports in firewalld
  firewalld:
    service: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - "http"
    - "https"
  when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"

 - name: Ensure matrix-nginx-proxy.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@@ -33,17 +33,6 @@
    - "{{ matrix_ssl_lets_encrypt_support_email }}"
  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none"

 - name: Allow access to HTTP/HTTPS in firewalld
  firewalld:
    service: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - http
    - https
  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'"

 - name: Ensure certbot Docker image is pulled
  docker_image:
    name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@@ -77,12 +77,3 @@
    dest: "/usr/local/bin/matrix-synapse-register-user"
    mode: 0750

 - name: Allow access to Matrix ports in firewalld
  firewalld:
    port: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - '8448/tcp' # Matrix federation
  when: ansible_os_family == 'RedHat'